We have spotlight which can write logs to a file. How can we manage log file size in Linux and Windows OS?
Need to rotate log files in Linux and Windows without breaking events.
Hi ansif,
sorry, but I don't understand your question: Splunk reads logs from files, if you need to rotate files isn't a Splunk problem, when you rotate a file Splunk will start to ingest logs from the new one without ingesting the old logs.
Ciao.
Giuseppe
Ya not a splunk problem. I am asking how can we ensure as a best practice from OS perspective to rotate logs and last event in the log file is not broken.
Hi ansif,
as I said Splunk solves this problem because it reads the old file until it's rotated, then start to read the new one (probably with the same name) and doesn't read the old one.
Obviously if after rotation the new logs are in a file with a different name, you have to build your input in appropriate mode using *, e.g. if I have my files called myfile_2019_10_15.log, I have to use a monitor stanza like this:
[monitor:///tmp/my_logs/myfile_*.log]
Ciao.
Giuseppe