gzip audit-logs

I’m running syncthing with --audit. I would appreciate if old auditlogs would be gzipped and every day a new file will be used.

Best I can Suggest is to set it up to log to stdout/stderr, and use standard rotation, or some log management systems, support setting up a pipe/named socket for an application to write to, which then then do rotation etc.

We have ways to do log rotation, which could be reused here, but I don’t think we’ll do gzipping etc.

Sorry, but I don’t understand your suggestions. The audit-log always wrote to a file as far as I know. Furtermore the name is unpredictable (contains the start time). So tools like newsyslog and logrotate doesn’t work. I only see the possibilities that the logik is implemented in syncthing or that syncthing always write to a file audit.log. Then logrotate can do the job.

Logrotate allows wildcards AFAIK.

you can specify the file it writes to:

--auditfile=PATH           Specify audit file (use "-" for stdout, "--" for stderr)

For log rotate to work, we’d need to periodically reopen the file, which we don’t do.

I know some logging daemons expose a named pipe you can write to, which then does log rotation on stuff read from the pipe.

Does this mean if I set the audit-file to audit.log and then newlogsystem bzip to autit.0.log. The audit-log will become broken?

What logging deamons you have in mind?

I believe so, because we will keep writing to a file descriptor that doesn’t exist on the filesystem anymore, because you’ve archived the file and deleted it.

I can’t tell you a specific one, I just recall seeing something like that before.

Effectively what I am talking about is something like example 2 shown here:

You point syncthing to write audit logs to the named pipe (which I think should work), wand then your script that reads off of that named pipe decides what to do with the logs, when to roll a new file, archive it etc.

Would copytruncate not work?

1 Like

Good question/point, maybe it would.

that seems in deed an option. So I can write in a fix file. Run a job, that copy it to another file and truncate the original one. The new file can then rotate with newsyslog which is the default at mac. Must think about it. Perhaps it’s easier to stop syncthing. gzip the log and restart it.

Thanks for all the input. In java this is normally only a thing of a few configurations.

Interesting note: There seems some code in sycnthing which deletes old audit-logs :wink:

Yep:

(on startup)

Is it possible to stop the syncthing-process at the mac-os-version from commandline? The idea is to regulary stop syncthing gzip the audit-log and then restart the service. I tried to do it with the REST-Api and curl, but the mac-os-version restart it immediatly. One idea is to gzip everything and then shutdown. But it’s not really clean.

Probably the service manager restarts Syncthing as soon as it exits. This is fine though; restart Syncthing so it creates a new audit log, then gzip the old audit log.