0

I have some question about syslog fifo and log file.

For example I have my gc.log and I have this configuration on syslog

source s_splunk {
    udp(ip("127.0.0.1") port(514));
    file("/logs/gc.log" follow_freq(1));
};

destination d_splunk {
    tcp (my.splunk.intranet port (1514));
};

log {
    source (s_splunk);
    destination (d_splunk);
};

to index this gc.log on splunk. But this way I get high cpu consume and I like to change how I'm indexing this log file.

I would like to do indexing by fifo file but I can't change how the application generate this log file.

How can i do this ?

mtk
  • 13,221
  • 16
  • 72
  • 112
Italo
  • 1
  • 2

1 Answers1

0

I found some way to solve my problem. I delete my gc.log file and build this file like a fifo file and i changed de permission of this file.

So the JVM use de fifo to log and on the syslog-ng i'm configuring one destination to write the log on file and send to my splunk vip (my.splunk.intranet).

With this solution my syslog don't have high cpu usage.

Italo
  • 1
  • 2