1

I am running syslog-ng pe 4 lts on Centos 6. Syslog is recursing a local directory of web logs and moving them to a NAS. We are seeing that some old log lines are showing up on the NAS for current dates. For example, a log line with a timestamp of 02/10/2015 will show up on the NAS in a file dated today. I believe the issue is the syslog-ng.persist file. If I "open" it using strings I see hundreds of entries there for files from October. Since we're not using version 5 (and are no longer subscribing to Balabit) we don't have the persist-tool that now allows you to manipulate this file.

My question is two-fold: 1. If I simply delete this file (after stopping syslog-ng), will syslog recreate it upon start up? I understand I would have to also clean out the directory in question beforehand otherwise I'll end up in the same predicament.

  1. If syslog doesn't create it —I assume I can't simply touch a new one because the file command says it is file type "data"— does anyone know of another way besides persist-tool to manipulate this file?

Thank you.

Improve this question

1 Answer 1

Reset to default
1

Yes, syslog-ng will recreate the persist file. However, the persist file stores the positions of the next message to read from your source files, meaning that syslog-ng will think that all your logfiles are new, and resend all the messages to you NAS.

Newer versions of syslog-ng have an option called read-old-records() that can prevent this behavior.

Regards, Robert Fekete

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.