Syslog-ng does not handle log rotation. This can be handled through cron or the logrotate command. To use logrotate you will need to add a configuration file to /etc/logrotate.d. For example you could create a file called "splunk_logs" in /etc/logrotate.d. For simplicity, you can copy an existing file in /etc/logrotate.d and use it as a template. You will then want to modify to fit your use case (see example below). /var/log/syslog/logs/catch_all/*.log # Replace with the correct Path { rotate 2 # Keep 2 Files. This combined with the following will keep logs for 2 weeks.
weekly # Rotate Weekly
missingok
notifempty
compress
sharedscripts
postrotate
[invoke-rc.d syslog-ng reload > /dev/null]
endscript } See the man pages for logrotate to learn more. To use cron you could do something like this to keep the logs for 2 weeks: run crontab -e as root then add the following cronjob. 0 3 * * * /usr/bin/find /var/log/syslog/logs/catch_all -type f -daystart -mtime +14 -exec rm {} \; This will run at 3 am everyday and remove the logs after 14 days. Be sure to update the path to the log files. Hope this helps! Happy Splunking!
... View more