Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
993
Views
0
Helpful
3
Replies

LMS 4.2.4 /var/log/syslog_info file is huge

dfaught
Level 1
Level 1

‎07-27-2015 06:08 AM

On the LMS 4.2.4 soft appliance, the file /var/log/syslog_info is about 26 gigabytes.  I think it should be smaller.  What should I do?

 

I did a Syslog Forced Purge, which says it completed successfully, but this file appears unchanged.

 

Thanks for any info,

 

Dave

 

Labels:
0 Helpful
3 Replies 3

Ernesto Q
Cisco Employee
Cisco Employee

‎07-27-2015 09:07 PM

Hello Dfaught,

 

I better recommend you the following steps that show you how to set LMS for automatically rotate logs when they reach a specific size.

 

Regards,

Ernesto Q

Preview file
123 KB
0 Helpful

dfaught
Level 1
Level 1
In response to Ernesto Q

‎07-28-2015 06:27 AM

Hello Ernesto,

I am a little hesitant to implement your steps because it appears to me that the /var/log/syslog_info file is an OS-level file and therefore is not really controlled by the log rotation process in LMS.  The /var/log/messages file in your document is, in fact, rotated by an OS process using the /etc/logrotate.d and /etc/logrotate.conf and should probably not be put under LMS control.

 

But now I am unsure how to proceed.  Since the /var/log/syslog_info file is an OS-level file, why was it not included in the /etc/logrotate.d files?  And if it is now added into the /etc/logrotate.d configuration, how will that affect the LMS SyslogCollector subscription?

 

Or, if the /var/log/syslog_info file is put into the LMS logrotation process, how will the OS syslogd process find out that the file has changed?

 

Thank you for your help.

 

Dave

 

0 Helpful

Ernesto Q
Cisco Employee
Cisco Employee
In response to dfaught

‎07-29-2015 04:38 PM

Hello dfaught,

The linux method to logrotate files is as you mentioned /etc/logrotate.d and /etc/logrotate.conf which is the one that contains the main information/configuration and points to logrotate.d and if we look at logrotate.d its content is:

less /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

 

It does not contain the syslog_info as you as well mentioned, but keep in mind that such linux is included in an OVA file "I assume you have a LMS in a virtual machine and was installed with an OVA", therefore, such operating system is customized for LMS to work properly, at the moment I do not have the exact answer as to why such syslog_info was not included, but I can tell you for sure that LMS wont cause any trouble if you let it rotate this OS files, in fact, I have it at the moment

 

 

As for your question about the SyslogCollector subscription it wont be affected due to the fact that LMS when receives a given syslog at port 514 it is taken by the syslogd service and it moves it to the syslogcollector.log which is the one that filters any syslog, once syslogcollector is done then it proceeds to move it to the sysloganalyzer.log which is the one that writes it to the syslog database, at the end all this process occurs fastly.

In a nutshell, by logrotating syslog_info from LMS, it should not cause any issue, however, you can test it if you want just to make sure that any syslog report such as 24h syslog report gets affected by this modification.

Hope it helps.

 

Regards,

Ernesto Q

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents