Loss information after log rotation
Opened this issue · 3 comments
selfuryon commented
Hello!
I have installed FW1-LogGrabber v2.1 from github and i also have this config:
self:~/ $ sudo cat /usr/local/fw1-loggrabber/etc/fw1-loggrabber.conf
# DEBUG_LEVEL=<debuglevel>
DEBUG_LEVEL="0"
# FW1_LOGFILE=<Name of FW1-Logfilename>
FW1_LOGFILE="2016"
# FW1_OUTPUT=<files|logs>
FW1_OUTPUT="logs"
# FW1_TYPE=<ng|2000>
FW1_TYPE="ng"
# FW1_MODE=<audit|normal>
FW1_MODE="normal"
# ONLINE_MODE=<yes|no>
ONLINE_MODE="no"
# RESOLVE_MODE=<yes|no>
RESOLVE_MODE="no"
# RECORD_SEPARATOR=<char>
RECORD_SEPARATOR="|"
# DATEFORMAT=<cp|unix|std>
# cp = " 3Feb2004 14:15:16"
# unix = "1051655431"
# std = "2004-02-03 14:15:16"
DATEFORMAT="std"
# IGNORE_FIELDS=<field1;field2;...>
# IGNORE_FIELDS="uuid;__policy_id_tag"
# LOGGING_CONFIGURATION=<screen|file|syslog>
LOGGING_CONFIGURATION=file
# OUTPUT_FILE_PREFIX=<Path and Name of outputfile>
OUTPUT_FILE_PREFIX="/var/log/fw1-loggrabber/cp_log"
# OUTPUT_FILE_ROTATESIZE=<maximum size of outputfile in bytes>
# use OUTPUT_FILE_ROTATESIZE=0 to disable rotation
OUTPUT_FILE_ROTATESIZE=200000000
# SYSLOG_FACILITY=<USER|LOCAL0|...|LOCAL7>
SYSLOG_FACILITY="LOCAL1"
# FW1_FILTER_RULE=<rule>
#FW1_FILTER_RULE="action=drop"
# AUDIT_FILTER_RULE=<rule>
#AUDIT_FILTER_RULE="action=accept"
So Fw1-loggrabber should rotate log file after it reached about 200mb. That i got in my system:
self:fw1-loggrabber/ $ ls -hl [12:50:19]
итого 189M
-rw-r--r-- 1 self self 189M окт 31 12:50 cp_log.log
self:fw1-loggrabber/ $ ls -hl [12:50:20]
итого 1,6M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 758K окт 31 12:50 cp_log.log
self:fw1-loggrabber/ $ ls -hl [12:50:21]
итого 15M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 14M окт 31 12:50 cp_log.log
...
self:fw1-loggrabber/ $ ls -hl [12:51:22]
итого 170M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 169M окт 31 12:51 cp_log.log
self:fw1-loggrabber/ $ ls -hl [12:51:23]
итого 195M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 3,5M окт 31 12:51 cp_log-2016-10-31_125128.log
-rw-r--r-- 1 self self 0 окт 31 12:51 cp_log.log
self:fw1-loggrabber/ $ ls -hl [12:51:46]
итого 195M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 3,5M окт 31 12:51 cp_log-2016-10-31_125128.log
-rw-r--r-- 1 self self 0 окт 31 12:51 cp_log.log
self:fw1-loggrabber/ $ ls -hl [12:52:04]
итого 113M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 3,5M окт 31 12:51 cp_log-2016-10-31_125128.log
-rw-r--r-- 1 self self 109M окт 31 12:52 cp_log.log
It lost huge portion of information in log file rotation...
adepasquale commented
That functionality has been inherited from previous version and honestly it hasn't been tested extensively. I suggest you to use OUTPUT_FILE_ROTATESIZE=0 and manage file rotation with an external tool (e.g. logrotate).
selfuryon commented
Thanks for answer! Maybe you give advice about logrotate configuration? I understand right that I should use copytruncate?
/var/log/fw1-loggrabber/cp_log.log {
su root self
rotate 100
size=1G
noolddir
nomail
missingok
nocompress
copytruncate
}
adepasquale commented
Yes, using logrotate with copytruncate is currently the best option available.