mk_logwatch: Ensure that no events are lost during log rotations.
Please add support for reading from rotating log files.
Log files are usually renamed or get a new name when certain criteria are met. Depending on the operating system and company, different naming conventions are used.
If this rotation takes place between two runs of logwatch, then the rest of the log file that was rotated away must also be examined to avoid the loss of critical events.
A simple and fast detection could be for example the MD5 sum of the first 500 bytes of the logfile. If the MD5 sum changes, the file was rotated and the old rotated file can be identified by the old MD5 sum.
Comments: 3
-
10 Jan, '23
Mike1098Very important feature request which we fully support.
Probably enough to compare the old and new pointer to detect a switch.
I admit its not a trivial problem to solve. -
17 May, '24
Lars SörensenRecognizing a rotation is not a big problem, the challenge is to find the rotated file and retrieve the last lines of that file before starting with the new file.
Especially if unusual rotation methods were used for the rotated files and/or if the files were compressed after rotation.
name.log, name.log-20240501, name.log-20240502,...
20240501_name.log, 20240502_name.log,...
log, log.0, log.1.gz, log.2.gz,...
log, log.0.gz, log.1.gz, log.2.gz,... -
16 Mar
KurtWhen a file gets rotated it is renamed but its inode stays the same. Checkmk should therefor search for new files to track and when detected start tracking them by their inode instead of filename. This would solve already a lot.