Log File Rotation

In the case of log file rotation, a log file is retired and renamed to a “rotated” name, and the monitored file is replaced by a new log file. Therefore, periodically during the monitoring of a log file that is rotated, the file is replaced by a fresh log file.

During the log file rotation process, the log file names are renamed in following ways:

  • The log file name contains a date that changes during the rotation process

    The date in the log file name changes during the rotation process. Ensure that you correctly configured the File Log Source configuration file.

    If you enter the parameter [date] in the file path you must:

    1. Activate the file rotation.
    2. Enable and enter a date format for the date pattern such as yyyyMMdd.

      For example,

      File names: logFile.20170521.log, logFile.20170522.log

      Absolute path: c:\logDir\logFile.[date].log

    Note: LogLogic® Universal Collector is not compatible with Microsoft IIS or any other application that uses a date in the active log file name.
  • The log file name contains an id that changes during the rotation

    The id in the log file name changes during the rotation process. Ensure that you correctly configured the File Log Source configuration file. The current file from which LogLogic® Universal Collector collects logs does not contain an id.

    For example,

    Active file name: sys.log

    Rotated file name: sys.log.1, sys.log.2 and so on.

    If you enter the parameter [id] in the file path you must:

    1. Activate the file rotation.
    2. Enable and enter the number of digits expected (1-9) for the nbDigit parameter.

      For example,

      File names: logFile.1.log, logFile.2.log

      Absolute path: c:\logDir\logFile.[id].log

      You can combine the two examples to allow the use of both [id] and [date] parameters in the file path.

      Note: While collecting logs from a file that rotates, the base file cannot be removed to avoid the collection failure.

Recommendations

  • In the case of resuming after having been stopped, if the log file has been rotated during the period in which the collector was stopped, some log data will be missed. Therefore, you must ensure that the collector is not temporarily stopped during an interval in which a rotation occurs.
  • To be collected, a file must have been modified after the latest collected file.
  • The current log file name must not change during the rotation. LogLogic® Universal Collector records the “identity” of a log file in the cursor as a hash of the first several bytes of the file. When the file is rotated by the log source and replaced with a fresh one, the hash will be different. File identity checking is performed throughout the log file monitoring process to detect log rotation.
  • If a log file needs to be replaced and enriched while LogLogic® Universal Collector is running, do not copy content in the file but move it on the same partition.