5.3.2. File sources and logrotation

The syslog-ng Agent for Windows application can collect log messages from text files, and supports the use of wildcards (*) in filenames and foldernames to be able to follow log files that are automatically rotated. To configure file sources, complete the following steps:

Procedure 5.3.2.1. Managing file sources

Start the configuration interface of the syslog-ng Agent for Windows application.
Select syslog-ng Agent Settings > File Sources, double-click on Sources, and check the Enable option.

Select Add > Browse, and select the log file or the folder containing the log files in the Base Directory field. Select or enter the name and extension of the log files in the File Name Filter field. Wildcards may be used. The syslog-ng agent will forward log messages from every file that is located in this folder and has a name that matches the filter expression.

	Tip
	When specifying the Base Directory, you can use the environment variables of Windows, e.g., `%WINDIR%`, `%SYSTEMROOT%`, `%PROGRAMFILES%`, etc.

	Warning
	Note that when managing members of a domain, the selected path must be available on the domain members, e.g., `C:\logs` must be available on the client hosts and not on the domain controller.

To send messages from the files located in the subfolders of the folder set as Base Directory, select the Recursive option.

To send messages only from the file that was last modified, select the Last Modified File Only option.

Note

When using the Last Modified File Only option with a file source that has wildcard in the filename (e.g., *.log), the following will happen. When started for the first time, the agent will send the contents of every matching file to the central server, and store the position of the last message in the file with the most recent modification date. When new messages are written to this file, the agent will send only the new messages. However, if an older file is modified, the agent will resend the entire contents of this newly modified file, and store the position of the last message in this file only.

When you use wildcards together with the Last Modified File Only option, make sure that older files will not be modified.

If you are forwarding the logs of Internet Information Server (IIS) 5 applications, select the IIS 5.x Log option.

	Note
	If this option is not selected, the syslog-ng agent monitors every matching file in the folder for changes, and sends new log messages from all files.

To send messages only from the file that was last modified of every subfolder of the Base Directory, select both the Last Modified File Only and the Recursive options.

To change the log facility or the log priority associated to the file source, select the desired facility or priority from the Log Facility or Log Priority fields, respectively.

Note

Significant changes to the settings of a file source may cause the syslog-ng Agent to resend the entire contents of the matching files. This means that log messages already sent earlier to the syslog-ng server may be resent and thus duplicated in the server logs. Configuration changes that may result in such behavior are:

changing the Base Directory,
changing filter options,
changing recursivity and Last Modified File Only options.

Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

	Note
	If an application writes a message into a log file without ending the line with a new-line character, saves (closes) the file, and later continues to write into the same line, then this is visible in the file as a single line, but the syslog-ng agent interprets them as two separate messages.

Example 5.1. Collecting the logs of multiple applications from a single folder

	Example 5.1. Collecting the logs of multiple applications from a single folder
If two applications log into the same folder (e.g., `C:\logs`), you have to create two file sources. For example, if the name of the log files is `application1-.log`* and `application2-.log`, respectively, then create two file sources with the `C:\logs` Base Directory, but with different File Name Filter: `application1-.log` and `application2-.log`, respectively. If other applications log into the `C:\logs` folder, add a separate expression for each application. By default, the syslog-ng agent will send every message to the server that arrives into any of the monitored log files. To send only the messages that arrive into the latest file of the source, enable the Last Modified File Only* option.

If two applications log into the same folder (e.g., C:\logs), you have to create two file sources. For example, if the name of the log files is application1-*.log and application2-*.log, respectively, then create two file sources with the C:\logs Base Directory, but with different File Name Filter: application1-*.log and application2-*.log, respectively.

If other applications log into the C:\logs folder, add a separate expression for each application.

By default, the syslog-ng agent will send every message to the server that arrives into any of the monitored log files. To send only the messages that arrive into the latest file of the source, enable the Last Modified File Only option.

Prev	Up	Next
5.3.1. Eventlog sources	Home \| Contents	5.3.3. Global settings of the syslog-ng agent

The syslog-ng 3.0 Administrator Guide

Document version: Thirteenth
Release date: September 23, 2010
Latest version available at the BalaBit Documentation Page