Jason Davis Tue, 07/22/2008 - 18:24
User Badges:
  • Cisco Employee,

Depends on how you have it configured. Output to flat files? Output to MySQL server?


I have a couple Syslog-NG instances in my NM Lab and I have it set to put all Syslogs in a daily file and also in a device-daily file. So to retain 90 days, I just don't rotate logs any more than 90 days.


Here's a sample syslog-ng.conf file. Your specific implementation will vary depending on file drop or database insert methods...

http://www.campin.net/syslog-ng.conf


jdevoll Wed, 07/23/2008 - 08:04
User Badges:

Current output is simply to a single, large, flat file. When you say you don't rotate logs more than 90 days, does that mean you manually do it?

Jason Davis Wed, 07/23/2008 - 08:28
User Badges:
  • Cisco Employee,

No, since my files are daily generated, in order to keep more than 90 days of logs, I just don't delete the dailies. I actually do take the dailies that are more than 60 days and zip them. Since syslogs are text, they squish very nicely.


Since you're using a single, large flat file, you'll need to use some utility to trim that file. You might be better served using the same method I am - putting messages into daily files.


jdevoll Wed, 07/23/2008 - 08:45
User Badges:

I agree that a daily file is much more friendly. Although it adds a level of complexity to a script we're currently using to scan the file. Once you have a daily file it would be really easy to cron a script to delete files in the appropriate directory that have a creation date of > then 90 days.


Thanks for the info, much appreciated.



Actions

This Discussion