Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rsyslog Log Rotation

dillardo_2
Path Finder
‎01-24-2020 08:37 AM

We need to rotate syslog files once they reach a certain size.
Our directory structure looks like the following:

/opt/splunk/syslog/datasource1
/opt/splunk/syslog/datasource2
/opt/splunk/syslog/datasource3

etc.

Once files in the source folders reach 1GB for example, we need them to be moved to /opt/splunk/old_files

Has anyone successfully set up a rotation script?

0 Karma
Reply

Jawahir
Communicator
‎01-27-2020 04:27 AM

Refer this link:
https://www.tecmint.com/manage-linux-system-logs-using-rsyslogd-and-logrotate/

Reply

dillardo_2
Path Finder
‎01-27-2020 03:40 PM

Thanks, I did see this and have tried using logrotate. When we rotate the logs, they need to be moved to an archive folder outside of the syslog directory. When I add a command to move the files after postrotate, they files are moved successfully, but rsyslog stops working and must be restarted.

For example: 

/opt/splunk/syslog/*/*
 {
    daily
    missingok
    compress    
    notifempty    
    sharedscripts
    postrotate
                mv /opt/splunk/syslog/*/*.gz /opt/splunk/archive/;
    endscript
}
0 Karma
Reply

dillardo_2
Path Finder
‎01-27-2020 03:42 PM

This works for us, but rsyslog stops processing data and has to be restarted.

0 Karma
Reply

mydog8it
Builder
‎01-24-2020 11:32 AM

We create a new file per device type every hour and throw away files in 72 hours.

0 Karma
Reply

dillardo_2
Path Finder
‎01-26-2020 12:35 PM

@mydog8it, are you able to share your process and the script you are using? That would be helpful.

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎01-26-2020 01:20 PM

the hourly rotation is by design is you name the log file in rsyslog with mylog-yearmonthday-hour.log
(and that avoid any race condition as it is done directly by rsyslog)
to purge, just add a simple script in /etc/cron.d/purgemylog.cron
with hourly + run as a user who can delete log then run
find /var/log/mylogdir -type f -name \"mylog*.log\"-mtime +2 -delete
if you want to keep them 2 days
(or -mmin +xxx for more granularity)

make sure you specify the directory and a filename form in your find command to avoid any bad surprise...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...