Syslog in small files | Log collection solutions

#1 JA_808690 3 years ago

Hi
I'm running NXlog community for years with this configuration:
########################################
<Extension exec>
Module xm_exec
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input syslog514udp>
Module im_udp
Port 514
Host 0.0.0.0
</Input>

<Input syslog514tcp>
Module im_tcp
Port 514
Host 0.0.0.0
</Input>

<Output consolefile>
Module om_file
File $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H") + ".log"
# Addiere Zeitstempel an den Event
Exec $raw_event = now() + " " + $raw_event;
CreateDir TRUE
</Output>

<Output cdrfile>
Module om_file
File $MessageSourceAddress+"/CDR/CDR-"+ strftime(now(),"%Y-%m-%d-%H") + ".log"
Exec if $raw_event =~ /<142>|<141>[S=\d+]\s|(.) / {

$raw_event = $1 ;

}

else

drop();
CreateDir TRUE
</Output>

<Output cdrlogger>
Module om_udp
Host 127.0.0.1
Port 1514
Exec if $raw_event =~ /<142>|<141>[S=\d+]\s|(.) / {

$raw_event = $1 ;

}

else

drop();
</Output>

<Route udp>
Priority 1
Path syslog514udp => consolefile, cdrfile, cdrlogger
</Route>

<Route tcp>
Priority 2
Path syslog514tcp => consolefile, cdrfile, cdrlogger
</Route>
###############################################

With this configuration I receive one log file per hour. Now I have a system which generates a 400MB file which is to large my syslog viewer. Is there a way to get multiple files per hours? Let's say four 100MB file per hour.

I've tried with to extend my configuration with:
<Exec>
if file->file_size() > 100M
{
$newfile = "tmp/output_" + $Hostname + "_" +
strftime(now(), "%Y%m%d%H%M%S");
file->rotate_to($newfile);
exec_async("/bin/bzip2", $newfile);
}
</Exec>

But I get the following error:
couldn't parse statement at line 24, character 28 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; module file not found

Line 24 is the if statement. All required module are in the module folder.

has somebody a hint?

Permalink

#2 rafDeactivated Nxlog ✓ 3 years ago

#1 JA_808690

Hi I'm running NXlog community for years with this configuration: ######################################## <Extension exec> Module xm_exec </Extension> <Extension syslog> Module xm_syslog </Extension> <Input syslog514udp> Module im_udp Port 514 Host 0.0.0.0 </Input> <Input syslog514tcp> Module im_tcp Port 514 Host 0.0.0.0 </Input> <Output consolefile> Module om_file File $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H") + ".log" # Addiere Zeitstempel an den Event Exec $raw_event = now() + " " + $raw_event; CreateDir TRUE </Output> <Output cdrfile> Module om_file File $MessageSourceAddress+"/CDR/CDR-"+ strftime(now(),"%Y-%m-%d-%H") + ".log" Exec if $raw_event =~ /<142>|<141>[S=\d+]\s|(.) / { $raw_event = $1 ; } else drop(); CreateDir TRUE </Output> <Output cdrlogger> Module om_udp Host 127.0.0.1 Port 1514 Exec if $raw_event =~ /<142>|<141>[S=\d+]\s|(.) / { $raw_event = $1 ; } else drop(); </Output> <Route udp> Priority 1 Path syslog514udp => consolefile, cdrfile, cdrlogger </Route> <Route tcp> Priority 2 Path syslog514tcp => consolefile, cdrfile, cdrlogger </Route> ############################################### With this configuration I receive one log file per hour. Now I have a system which generates a 400MB file which is to large my syslog viewer. Is there a way to get multiple files per hours? Let's say four 100MB file per hour. I've tried with to extend my configuration with: <Exec> if file->file_size() > 100M { $newfile = "tmp/output_" + $Hostname + "_" + strftime(now(), "%Y%m%d%H%M%S"); file->rotate_to($newfile); exec_async("/bin/bzip2", $newfile); } </Exec> But I get the following error: couldn't parse statement at line 24, character 28 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; module file not found Line 24 is the if statement. All required module are in the module folder. has somebody a hint?

Hi,

Correct me if I'm wrong, but looking at your config file, I assume you're putting the if condition into <Output consolefile> section. In this case, you may try to change your

file->file_size()

consolefile->file_size()

Regards,

Rafal