Collects log messages from plain-text files, for example, from the logfiles of an Apache webserver.

CAUTION: Currently, the file() source is maintained for compatibility, but for regular files — especially when using wildcards in the filename — it is recommended to use the wildcard-file() source, as it provides better long-term support and more configuration options. The only real use case for the legacy file() source is when you need to read kernel messages.

The syslog-ng OSE application notices if a file is renamed or replaced with a new file, so it can correctly follow the file even if logrotation is used. When syslog-ng OSE is restarted, it records the position of the last sent log message in the /var/lib/syslog-ng/syslog-ng.persist file, and continues to send messages from this position after the restart.

The file driver has a single required parameter specifying the file to open. If you want to use wildcards in the filename, use the wildcard-file() source. For the list of available optional parameters, see file() source options.

CAUTION: As the follow-freq(), follow-method(), monitor-method(), and the monitor-freq() options could have performance penalty effects, it is important to understand how the file and directory monitoring operates depending on these values. For details, refer to How content changes are followed in file() and wildcard-file() sources.

Declaration

file("filename");

Example: Using the file() driver

source s_file {
    file("/var/log/messages");
};

Example: Tailing files

The following source checks the access.log file every second for new messages.

source s_tail {
    file("/var/log/apache/access.log" follow-freq(1) flags(no-parse));
};

NOTE: If the message does not have a proper syslog header, syslog-ng treats messages received from files as sent by the kern facility. Use the default-facility() and default-priority() options in the source definition to assign a different facility if needed.

Updated: