Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Rsyslog Log Rotation

dillardo_2
Path Finder
‎01-24-2020 08:37 AM

We need to rotate syslog files once they reach a certain size.
Our directory structure looks like the following:

/opt/splunk/syslog/datasource1
/opt/splunk/syslog/datasource2
/opt/splunk/syslog/datasource3

etc.

Once files in the source folders reach 1GB for example, we need them to be moved to /opt/splunk/old_files

Has anyone successfully set up a rotation script?

0 Karma
Reply

jawahir007
Communicator
‎01-27-2020 04:27 AM

Refer this link:
https://www.tecmint.com/manage-linux-system-logs-using-rsyslogd-and-logrotate/

Reply

dillardo_2
Path Finder
‎01-27-2020 03:40 PM

Thanks, I did see this and have tried using logrotate. When we rotate the logs, they need to be moved to an archive folder outside of the syslog directory. When I add a command to move the files after postrotate, they files are moved successfully, but rsyslog stops working and must be restarted.

For example: 

/opt/splunk/syslog/*/*
 {
    daily
    missingok
    compress    
    notifempty    
    sharedscripts
    postrotate
                mv /opt/splunk/syslog/*/*.gz /opt/splunk/archive/;
    endscript
}
0 Karma
Reply

dillardo_2
Path Finder
‎01-27-2020 03:42 PM

This works for us, but rsyslog stops processing data and has to be restarted.

0 Karma
Reply

mydog8it
Builder
‎01-24-2020 11:32 AM

We create a new file per device type every hour and throw away files in 72 hours.

0 Karma
Reply

dillardo_2
Path Finder
‎01-26-2020 12:35 PM

@mydog8it, are you able to share your process and the script you are using? That would be helpful.

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎01-26-2020 01:20 PM

the hourly rotation is by design is you name the log file in rsyslog with mylog-yearmonthday-hour.log
(and that avoid any race condition as it is done directly by rsyslog)
to purge, just add a simple script in /etc/cron.d/purgemylog.cron
with hourly + run as a user who can delete log then run
find /var/log/mylogdir -type f -name \"mylog*.log\"-mtime +2 -delete
if you want to keep them 2 days
(or -mmin +xxx for more granularity)

make sure you specify the directory and a filename form in your find command to avoid any bad surprise...

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top