cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

302
Views
0
Helpful
3
Replies
Beginner

LMS 4.2.4 /var/log/syslog_info file is huge

On the LMS 4.2.4 soft appliance, the file /var/log/syslog_info is about 26 gigabytes.  I think it should be smaller.  What should I do?

 

I did a Syslog Forced Purge, which says it completed successfully, but this file appears unchanged.

 

Thanks for any info,

 

Dave

 

Everyone's tags (1)
3 REPLIES 3
Cisco Employee

Hello Dfaught, I better

Hello Dfaught,

 

I better recommend you the following steps that show you how to set LMS for automatically rotate logs when they reach a specific size.

 

Regards,

Ernesto Q

Highlighted
Beginner

Hello Ernesto,I am a little

Hello Ernesto,

I am a little hesitant to implement your steps because it appears to me that the /var/log/syslog_info file is an OS-level file and therefore is not really controlled by the log rotation process in LMS.  The /var/log/messages file in your document is, in fact, rotated by an OS process using the /etc/logrotate.d and /etc/logrotate.conf and should probably not be put under LMS control.

 

But now I am unsure how to proceed.  Since the /var/log/syslog_info file is an OS-level file, why was it not included in the /etc/logrotate.d files?  And if it is now added into the /etc/logrotate.d configuration, how will that affect the LMS SyslogCollector subscription?

 

Or, if the /var/log/syslog_info file is put into the LMS logrotation process, how will the OS syslogd process find out that the file has changed?

 

Thank you for your help.

 

Dave

 

Cisco Employee

Hello dfaught,The linux

Hello dfaught,

The linux method to logrotate files is as you mentioned /etc/logrotate.d and /etc/logrotate.conf which is the one that contains the main information/configuration and points to logrotate.d and if we look at logrotate.d its content is:

less /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

 

It does not contain the syslog_info as you as well mentioned, but keep in mind that such linux is included in an OVA file "I assume you have a LMS in a virtual machine and was installed with an OVA", therefore, such operating system is customized for LMS to work properly, at the moment I do not have the exact answer as to why such syslog_info was not included, but I can tell you for sure that LMS wont cause any trouble if you let it rotate this OS files, in fact, I have it at the moment

 

 

As for your question about the SyslogCollector subscription it wont be affected due to the fact that LMS when receives a given syslog at port 514 it is taken by the syslogd service and it moves it to the syslogcollector.log which is the one that filters any syslog, once syslogcollector is done then it proceeds to move it to the sysloganalyzer.log which is the one that writes it to the syslog database, at the end all this process occurs fastly.

In a nutshell, by logrotating syslog_info from LMS, it should not cause any issue, however, you can test it if you want just to make sure that any syslog report such as 24h syslog report gets affected by this modification.

Hope it helps.

 

Regards,

Ernesto Q

 

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards