This is the companion discussion for the “Vault Logging and Alerting on Day 1” blog post describing how to use syslog-ng as a socket buffer and log server.
Please post any questions or feedback here. Thank you!
In your example for logrotate you say:
This
logrotateconfiguration rotates log files hourly, or when they reach 1GB
It would be more accurate to say “This configuration rotates logs hourly IF they have reached 1GB”. The size option to logrotate indicates that rotation should only occur if the size is greater than the value. Because logrorate only runs on the schedule set by cron it cannot monitor the size of a file and trigger a rotation as soon as it reaches a certain size.
Unless you modify the cron schedule for running logrotate (and as you noted it can’t run more than every minute) - you can’t trigger a rotation by size more frequently than the minimum time period that logrotate actually runs.