I am running syslog-ng pe 4 lts on Centos 6. Syslog is recursing a local directory of web logs and moving them to a NAS. We are seeing that some old log lines are showing up on the NAS for current dates. For example, a log line with a timestamp of 02/10/2015 will show up on the NAS in a file dated today. I believe the issue is the syslog-ng.persist file. If I "open" it using strings I see hundreds of entries there for files from October. Since we're not using version 5 (and are no longer subscribing to Balabit) we don't have the persist-tool that now allows you to manipulate this file.
My question is two-fold:
1. If I simply delete this file (after stopping syslog-ng), will syslog recreate it upon start up? I understand I would have to also clean out the directory in question beforehand otherwise I'll end up in the same predicament.
- If syslog doesn't create it —I assume I can't simply touch a new one because the file command says it is file type "data"— does anyone know of another way besides persist-tool to manipulate this file?
Thank you.
Best Answer
Yes, syslog-ng will recreate the persist file. However, the persist file stores the positions of the next message to read from your source files, meaning that syslog-ng will think that all your logfiles are new, and resend all the messages to you NAS.
Newer versions of syslog-ng have an option called read-old-records() that can prevent this behavior.
Regards, Robert Fekete