Reputation: 15
syslog-ng processing all messages after restart
i'm running syslog-ng inside docker, i'm collecting logs from local files, process them and then write to another logfile or send them to slack.
I noticed that whenever i need to updated syslog-ng config and restart container, syslog-ng re-reads all messages from source logfiles which causes duplications in destination files, slack channel.
Is there option to tell syslog that after reboot only new messages should be processed or maybe process only 1hour old logfiles?
i tried to google/check documentation but without luck, i'm probably not asking the question correctly because i would assume this option exist or not? thanks
Upvotes: 0
Views: 1033
Answers (2)
Reputation: 31
It sounds like you might be losing the persist file that was mentioned by MrAnno. You could try putting this and the log file on a persisted folder so that syslog-ng can reference where it was last and process from there.
Upvotes: 1
Reputation: 754
syslog-ng, by default, persists positions for sources where the concept of "bookmarking" or "position-tracking" is applicable.
This is true for regular file sources as well.
All you have to do is keep the syslog-ng persist file intact (syslog-ng.persist under the /var folder).
Upvotes: 2
Related Questions
- syslog-ng return original value when mapping does not exists
- logging with syslog-ng and systemd
- Syslog-ng row message required to send- no timestamp - no header require
- Confused with syslog message format
- Forwarding message to syslog server
- syslog-ng sending message to console and file
- syslog-ng issue in tagging to server
- Why syslog stop writing log after edit certain log?
- syslog-ng multiple destinations
- Syslog-ng not flushing output to python program