I have configured log rotation on my heavy forwarders in a way that matches the ingestion rate of each source. This setup helps balance performance with storage management.

• High ingesting sources → rotated every 1 hour
• Low ingesting sources → rotated at 4 hours, 8 hours, 1 day, or longer depending on the data volume
• Daily compression → after 24 hours, files are zipped
• Retention policy → zipped files are kept for 1 week
• Automatic cleanup → after 1 week, files are deleted to prevent storage fill‑up on the heavy forwarder

Thanks for your support!

If possible, could you please share a sample from your rsyslog config as am used to go with the syslog-ng as it's simple configuration.

another question, is the file size affect the performance of the tail reader, and batch reader?

Generally the size of a file should not affect software which just writes at the end of the file or reads there. Of course the bigger a file is, the more time you need to read it whole but that's obvious. If you wanted to cache a whole file in memory (why would you do that?) then the size would matter. Maybe if you used some ancient filesystem the size would matter. With a modern OS the file size doesn't really affect reading/writing performance.

BTW, with modern syslog daemons you can write directly to HEC input and skip local files altogether (which takes the PITA of maintaining the log rotation scripts, monitoring free space and so on).

Hi @0xAli ,

I usually use something like this:

input(type="im<protocol>" port="<port>" ruleset="<input_name>")

template(name="<template_name>" type="string"  string="/data/syslog/<technology>/%fromhost-ip%/%$YEAR%/%$MONTH%/%$DAY%/<technology>_%$HOUR%.log")

ruleset(name="<input_name>"){
        action(type="omfile" dynaFile="<template_name>" fileOwner="<splunk_user>" fileGroup="<splunk_group>" dirOwner="<splunk_user>" dirGroup="<splunk_group>")
}

in a dedicated .conf file.

ciao.

Giuseppe