https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495778#M84534 <P>@mydog8it, are you able to share your process and the script you are using? That would be helpful. </P> Sun, 26 Jan 2020 20:35:48 GMT dillardo_2 2020-01-26T20:35:48Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495776#M84532 <P>We need to rotate syslog files once they reach a certain size. <BR /> Our directory structure looks like the following:</P> <P>/opt/splunk/syslog/datasource1<BR /> /opt/splunk/syslog/datasource2 <BR /> /opt/splunk/syslog/datasource3 </P> <P>etc. </P> <P>Once files in the source folders reach 1GB for example, we need them to be moved to /opt/splunk/old_files</P> <P>Has anyone successfully set up a rotation script? </P> Fri, 24 Jan 2020 16:37:45 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495776#M84532 dillardo_2 2020-01-24T16:37:45Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495777#M84533 <P>We create a new file per device type every hour and throw away files in 72 hours.</P> Fri, 24 Jan 2020 19:32:47 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495777#M84533 mydog8it 2020-01-24T19:32:47Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495778#M84534 <P>@mydog8it, are you able to share your process and the script you are using? That would be helpful. </P> Sun, 26 Jan 2020 20:35:48 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495778#M84534 dillardo_2 2020-01-26T20:35:48Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495779#M84535 <P>the hourly rotation is by design is you name the log file in rsyslog with mylog-yearmonthday-hour.log<BR /> (and that avoid any race condition as it is done directly by rsyslog)<BR /> to purge, just add a simple script in /etc/cron.d/purgemylog.cron<BR /> with hourly + run as a user who can delete log then run <BR /> find /var/log/mylogdir -type f -name \"mylog*.log\"-mtime +2 -delete<BR /> if you want to keep them 2 days <BR /> (or -mmin +xxx for more granularity)</P> <P>make sure you specify the directory and a filename form in your find command to avoid any bad surprise...</P> Sun, 26 Jan 2020 21:20:11 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495779#M84535 maraman_splunk 2020-01-26T21:20:11Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495780#M84536 <P>Refer this link:<BR /> <A href="https://www.tecmint.com/manage-linux-system-logs-using-rsyslogd-and-logrotate/">https://www.tecmint.com/manage-linux-system-logs-using-rsyslogd-and-logrotate/</A></P> Mon, 27 Jan 2020 12:27:04 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495780#M84536 Jawahir 2020-01-27T12:27:04Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495781#M84537 <P>Thanks, I did see this and have tried using logrotate. When we rotate the logs, they need to be moved to an archive folder outside of the syslog directory. When I add a command to move the files after postrotate, they files are moved successfully, but rsyslog stops working and must be restarted.</P> <PRE><CODE>For example: /opt/splunk/syslog/*/* { daily missingok compress notifempty sharedscripts postrotate mv /opt/splunk/syslog/*/*.gz /opt/splunk/archive/; endscript } </CODE></PRE> Mon, 27 Jan 2020 23:40:19 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495781#M84537 dillardo_2 2020-01-27T23:40:19Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495782#M84538 <P>This works for us, but rsyslog stops processing data and has to be restarted. </P> Mon, 27 Jan 2020 23:42:59 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-Log-Rotation/m-p/495782#M84538 dillardo_2 2020-01-27T23:42:59Z