Collects log messages from plain-text files, for example, from the logfiles of an Apache webserver. If you want to use wildcards in the filename, use the wildcard-file() source. Currently, syslog-ng OSE supports the file() source to maintain certain compatibilities, but it is advised to use the wildcard-file() source for longevity reasons and more configuration options.

The syslog-ng OSE application notices if a file is renamed or replaced with a new file, so it can correctly follow the file even if logrotation is used. When syslog-ng OSE is restarted, it records the position of the last sent log message in the /var/lib/syslog-ng/syslog-ng.persist file, and continues to send messages from this position after the restart.

The file driver has a single required parameter specifying the file to open. If you want to use wildcards in the filename, use the wildcard-file() source. For the list of available optional parameters, see file() source options.

CAUTION: As the follow-freq(), follow-method(), monitor-method(), and the monitor-freq() options could have performance penalty effects, it is important to understand how the file and directory monitoring operates depending on these values. For details, refer to How content changes are followed in file() and wildcard-file() sources.

Declaration

file("filename");

Example: Using the file() driver

source s_file {
    file("/var/log/messages");
};

Example: Tailing files

The following source checks the access.log file every second for new messages.

source s_tail {
    file("/var/log/apache/access.log" follow-freq(1) flags(no-parse));
};

NOTE: If the message does not have a proper syslog header, syslog-ng treats messages received from files as sent by the kern facility. Use the default-facility() and default-priority() options in the source definition to assign a different facility if needed.

For the configuration options available in the file() source, see wildcard-file() source options.

Updated: