Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rsyslog Log Rotation

dillardo_2
Path Finder
‎01-24-2020 08:37 AM

We need to rotate syslog files once they reach a certain size.
Our directory structure looks like the following:

/opt/splunk/syslog/datasource1
/opt/splunk/syslog/datasource2
/opt/splunk/syslog/datasource3

etc.

Once files in the source folders reach 1GB for example, we need them to be moved to /opt/splunk/old_files

Has anyone successfully set up a rotation script?

0 Karma
Reply

jawahir007
Communicator
‎01-27-2020 04:27 AM

Refer this link:
https://www.tecmint.com/manage-linux-system-logs-using-rsyslogd-and-logrotate/

Reply

dillardo_2
Path Finder
‎01-27-2020 03:40 PM

Thanks, I did see this and have tried using logrotate. When we rotate the logs, they need to be moved to an archive folder outside of the syslog directory. When I add a command to move the files after postrotate, they files are moved successfully, but rsyslog stops working and must be restarted.

For example: 

/opt/splunk/syslog/*/*
 {
    daily
    missingok
    compress    
    notifempty    
    sharedscripts
    postrotate
                mv /opt/splunk/syslog/*/*.gz /opt/splunk/archive/;
    endscript
}
0 Karma
Reply

dillardo_2
Path Finder
‎01-27-2020 03:42 PM

This works for us, but rsyslog stops processing data and has to be restarted.

0 Karma
Reply

mydog8it
Builder
‎01-24-2020 11:32 AM

We create a new file per device type every hour and throw away files in 72 hours.

0 Karma
Reply

dillardo_2
Path Finder
‎01-26-2020 12:35 PM

@mydog8it, are you able to share your process and the script you are using? That would be helpful.

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎01-26-2020 01:20 PM

the hourly rotation is by design is you name the log file in rsyslog with mylog-yearmonthday-hour.log
(and that avoid any race condition as it is done directly by rsyslog)
to purge, just add a simple script in /etc/cron.d/purgemylog.cron
with hourly + run as a user who can delete log then run
find /var/log/mylogdir -type f -name \"mylog*.log\"-mtime +2 -delete
if you want to keep them 2 days
(or -mmin +xxx for more granularity)

make sure you specify the directory and a filename form in your find command to avoid any bad surprise...

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...