The syslog-ng Administrator Guide

The syslog-ng agent supports the use of wildcards (*) in filenames and foldernames to be able to follow log files that are automatically rotated.

To follow the logfiles stored in a directory, modify the syslog-ng agent configuration. Add an expression that contains the path to the files. Use the * wildcard in the filename, for example: C:\logs\webserver\*.log.

To follow the logfiles stored in a set of directories, modify the syslog-ng agent configuration. Add an expression that contains the path to the directories. Use the ** wildcard in the name of the directories, and the * wildcard in the filename, for example: C:\logs\webserver\**\*.log. This format is useful for applications that store their logs in timestamped directories.

It is important to note that syslog-ng agent reads messages only from one file for every expression. If multiple applications log into the same folder, you have to add a separate expression for every application. The expression must match to the log files of the respective application. Also, if an old file on a folder is modified by an application, the syslog-ng agent resends the entire file.

	Note
	If an application writes a message into a log file without ending the line with a new-line character, saves (closes) the file, and later continues to write into the same line, then this is visible in the file as a single line, but the syslog-ng agent interprets them as two separate messages.

	Example 5.1. Collecting the logs of multiple applications from a single folder
	The following expressions define two sources to collect the logs of application1 and application2 which both log into the C:\logs folder. Expression 1: C:\logs\application1*.log Expression 2: C:\logs\application2*.log If other applications log into the C:\logs folder, add a separate expression for each application.