Loss information after log rotation

[selfuryon]

Hello!
I have installed FW1-LogGrabber v2.1 from github and i also have this config:

self:~/ $ sudo cat /usr/local/fw1-loggrabber/etc/fw1-loggrabber.conf                                                
# DEBUG_LEVEL=<debuglevel>
DEBUG_LEVEL="0"

# FW1_LOGFILE=<Name of FW1-Logfilename>
FW1_LOGFILE="2016"

# FW1_OUTPUT=<files|logs>
FW1_OUTPUT="logs"

# FW1_TYPE=<ng|2000>
FW1_TYPE="ng"

# FW1_MODE=<audit|normal>
FW1_MODE="normal"

# ONLINE_MODE=<yes|no>
ONLINE_MODE="no"

# RESOLVE_MODE=<yes|no>
RESOLVE_MODE="no"

# RECORD_SEPARATOR=<char>
RECORD_SEPARATOR="|"

# DATEFORMAT=<cp|unix|std>
#   cp   = " 3Feb2004 14:15:16"
#   unix = "1051655431"
#   std  = "2004-02-03 14:15:16"
DATEFORMAT="std"

# IGNORE_FIELDS=<field1;field2;...>
# IGNORE_FIELDS="uuid;__policy_id_tag"

# LOGGING_CONFIGURATION=<screen|file|syslog>
LOGGING_CONFIGURATION=file

# OUTPUT_FILE_PREFIX=<Path and Name of outputfile>
OUTPUT_FILE_PREFIX="/var/log/fw1-loggrabber/cp_log"

# OUTPUT_FILE_ROTATESIZE=<maximum size of outputfile in bytes>
# use OUTPUT_FILE_ROTATESIZE=0 to disable rotation
OUTPUT_FILE_ROTATESIZE=200000000

# SYSLOG_FACILITY=<USER|LOCAL0|...|LOCAL7>
SYSLOG_FACILITY="LOCAL1"

# FW1_FILTER_RULE=<rule>
#FW1_FILTER_RULE="action=drop"

# AUDIT_FILTER_RULE=<rule>
#AUDIT_FILTER_RULE="action=accept"

So Fw1-loggrabber should rotate log file after it reached about 200mb. That i got in my system:

self:fw1-loggrabber/ $ ls -hl                                                                                       [12:50:19]
итого 189M
-rw-r--r-- 1 self self 189M окт 31 12:50 cp_log.log
self:fw1-loggrabber/ $ ls -hl                                                                                       [12:50:20]
итого 1,6M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 758K окт 31 12:50 cp_log.log
self:fw1-loggrabber/ $ ls -hl                                                                                       [12:50:21]
итого 15M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self  14M окт 31 12:50 cp_log.log
...
self:fw1-loggrabber/ $ ls -hl                                                                                       [12:51:22]
итого 170M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 169M окт 31 12:51 cp_log.log
self:fw1-loggrabber/ $ ls -hl                                                                                       [12:51:23]
итого 195M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 3,5M окт 31 12:51 cp_log-2016-10-31_125128.log
-rw-r--r-- 1 self self    0 окт 31 12:51 cp_log.log
self:fw1-loggrabber/ $ ls -hl                                                                                       [12:51:46]
итого 195M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 3,5M окт 31 12:51 cp_log-2016-10-31_125128.log
-rw-r--r-- 1 self self    0 окт 31 12:51 cp_log.log
self:fw1-loggrabber/ $ ls -hl                                                                                       [12:52:04]
итого 113M
-rw-r--r-- 1 self self 854K окт 31 12:50 cp_log-2016-10-31_125021.log
-rw-r--r-- 1 self self 3,5M окт 31 12:51 cp_log-2016-10-31_125128.log
-rw-r--r-- 1 self self 109M окт 31 12:52 cp_log.log

It lost huge portion of information in log file rotation...

[adepasquale]

That functionality has been inherited from previous version and honestly it hasn't been tested extensively. I suggest you to use OUTPUT_FILE_ROTATESIZE=0 and manage file rotation with an external tool (e.g. logrotate).

[selfuryon]

Thanks for answer! Maybe you give advice about logrotate configuration? I understand right that I should use copytruncate?

/var/log/fw1-loggrabber/cp_log.log {
    su root self
    rotate 100
    size=1G
    noolddir
    nomail
    missingok
    nocompress
    copytruncate
}

[adepasquale]

Yes, using logrotate with copytruncate is currently the best option available.