0 Replies Latest reply on Aug 28, 2013 10:26 PM by andyfry

    Linux logrotate causes event collector to stop sending events

    andyfry

      Hi,

       

      It looks like the standard linux logrotate application which causes the likes of syslog and httpd to do a reload or restart stops event collector working properly.

       

      I suspect it leaves the event collector looking at an old log file which is no longer being written to. I don't really want to have to tweak every logrotate config to also restart the event collector.

       

      Is there an alternative way of acheiving this?

       

      Here's the current configuration:

       

      ##############

      # Collector

      ##############

      bookmark_dir=/var/lib/mcafee/bookmark

      debug_level=debug

      log_path=/var/log/mcafee/event_collector.log

      sleep=5

      inactive_sleep=300

       

      ##############

      #       Receiver

      ##############

      rec_ip=999.999.999.999

      rec_port=8081

      rec_encrypt=1

       

      ##############

      #       Plugin

      ##############

      type=filetail

      hostid=

      ft_dir=/var/log

      ft_filter=messages

      ft_delim=<newline>

      ft_delim_end_of_event=1

      ft_start_top=0

       

      type=filetail

      hostid=

      ft_dir=/var/log/httpd

      ft_filter=access.log

      ft_delim=<newline>

      ft_delim_end_of_event=1

      ft_start_top=0