syslog-ng documentation

Your main source of knowledge

The syslog-ng product family has an extensive documentation, covering everything from how to install a product to the most complex configuration and settings descriptions. If you cannot find an answer to your question, try the mailing list - our community is always eager to help.

syslog-ng Premium Edition

Contents

6.4. wildcard-file: Collecting messages from multiple text files

The wildcard-file() source collects log messages from multiple plain-text files from multiple directories. The wildcard-file() source is available in syslog-ng PE version 7.0.3 and later.

The syslog-ng PE application notices if a file is renamed or replaced with a new file, so it can correctly follow the file even if logrotation is used. When syslog-ng PE is restarted, it records the position of the last sent log message in the /opt/syslog-ng/var/syslog-ng.persist file, and continues to send messages from this position after the restart.

Declaration: 

wildcard-file(
    base-dir("<pathname>")
    file-pattern("<filename>")
);

Note the following important points:

  • You can use the * and ? wildcard characters in the filename (the file-pattern() option), but not in the path (the base-dir() option).

  • When using the wildcard-file() source, always set how often syslog-ng PE should check the files for new messages using the follow-freq() parameter.

  • If you use multiple wildcard-file() sources in your configuration, make sure that the files and folders that match the wildcards do not overlap. That is, every file and folder should belong to only one file source. Monitoring a file from multiple wildcard sources can lead to data loss.

  • When using wildcards, syslog-ng PE monitors every matching file (up to the limit set in the max-files() option), and can receive new log messages from any of the files. However, monitoring (polling) many files (that is, more than ten) has a significant overhead and may affect performance. On Linux this overhead is not so significant, because syslog-ng PE uses the inotify feature of the kernel. Set the max-files() option at least to the number of files you want to monitor. If the wildcard-file source matches more files than the value of the max-files() option, it is random which files will syslog-ng PE actually monitor. The default value of max-files() is 100.

  • If the message does not have a proper syslog header, syslog-ng PE treats messages received from files as sent by the kern facility. Use the default-facility() and default-priority() options in the source definition to assign a different facility if needed.

Required parameters: base-dir(), file-pattern(). For the list of available optional parameters, see Section 6.4.1, wildcard-file() source options.

Example 6.11. Using the wildcard-file() driver

The following example monitors every file with the .log extension in the /var/log directory for log messages.

source s_files { wildcard-file(
    base-dir("/var/log")
    file-pattern("*.log")
    recursive(no)
    follow-freq(1)
); };