We have rsyslog writing files to numerous directories on Splunk heavy forwarders. In order to keep the logfiles from growing to unmanageable size and filling the disk on the forwarders, we would like to have rsyslog start a new file every hour. We need to be able to determine when it is safe to compress and/or remove the old files.
Cron jobs are no good if queues are blocked or splunkd not running for extended periods.
Splunk queries (search for last message in a file) are not good, since they would require authentication and would impose an unacceptable search load (there are thousands of files across 60 heavy forwarders).
We can't use batch inputs, as we can't tolerate delays of up to an hour ingesting data.
Logrotate causes mangled and dropped events when it runs, and the more often it runs the more damage it causes.
So... we need some way to be able to tell when Splunk has read all of a file being monitored, or a count of the number of lines read, or something we can use to know when it's safe to remove a syslog file that's no longer being written.
