In message <[email protected]>,
M Haris Farooque writes:
>I just like to know, what will happen when a file (data.log) is rotated
>automatically which is actually hooked with SEC_STARTUP event as shown
>in following rule definition.
>
>type=single
>ptype=substr
>pattern=SEC_STARTUP
>continue=TakeNext
>context=SEC_INTERNAL_EVENT
>desc=$0
>action= spawn /usr/bin/tail -f /var/log///data.log
>like in my case, data.log is rotated automatically when the file size
>exceeds 1GB. It is moved/renamed (as timestamp is appended at the end of
>its name) and new file 'data.log' (of 0 byte) is touched.
>
>do SEC continue operating with the new file without problem?
You are using tail -f and not tail -F, so it won't jump to the new
file. In my version of tail the two are different. From the man
page:
-f, --follow[={name|descriptor}]
output appended data as the file grows; -f, --follow, and
--follow=descriptor are equivalent
-F same as --follow=name --retry
[...]
With --follow (-f), tail defaults to following the file
descriptor, which means that even if a tail'ed file is renamed,
tail will continue to track its end. This default behavior is not
desirable when you really want to track the actual name of the
file, not the file descriptor (e.g., log rotation). Use
--follow=name in that case. That causes tail to track the named
file by reopening it periodically to see if it has been removed
and recreated by some other program.
It's been a while since I have done it but tail -F /var/log/data.log
should continue reporting data from the rotated log file. IIRC tail
also reports when the file is rotated, so you will need to put a rule
in your SEC ruleset to capture the output from tail when the log file
is rotated.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
