I did not quite understand your question.   But if you are interested in information about syslog-ng then you may want to look at the knowledgebase at https://support.oneidentity.com/syslog-ng-premium-edition/7.0.14

Moreover, I do not know which version of the product you are using.   But perhaps the following information helps you:

Metadata server logs are written usually to a folder named:

            <..../lev1/Web/WebAppServer/SASServer1_1/logs/ >

The log4j configurations are stored in a folder named:

            <.../lev1/Web/Common/LogConfig>

Before attempting to make changes, ensure that you know how log4j works and its syntax.  Extensive documentation is available via google.

Hope this helps.

Thank for you answer!

I think, my description a problem is not a correct.

I try one more time 🙂

Logs which I need writing, are located in /opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/Logs

But every day it make a new file for log, named  like that - SASMeta_MetadataServer_%d_%S{hostname}_%S{pid}.log

My syslog-ng version - syslog-ng 2.0.9

I want configure /syslog-ng.conf file to reading log with level "info" from /opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/Logs

and send it on UDP - protocol to specified server. But I dont't now how I make it, 'cos every day log-file change his name.
I try configure syslog-ng.conf like this:

source sas_log { file("/opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/Logs/SASMeta_MetadataServer_%d_%S{hostname}_%S{pid}.log"); };

but syslog don't understand this.

I wrote script-file:

#!/bin/bash

cd /opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/Logs/;
op=$(ls -t | head -1);
ech=$(echo $op);
tail -f -s 1 "$ech" | grep INFO ;

and specified it in source, but it doesn't working

 Generally, I want what would syslog-ng every day read actual log-file, if it possible.

I hope I decrypt my idea right and simple 🙂

>>Logs which I need writing, are located in /opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/Logs

Sorry, I'm mean not writing, I mean reading.

You can try the following, which will write the "active" log to a single fixed log file name:

-  Backup/save the file /opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/logconfig.xml  as logconfig.xml.bak

-  Edit the file /opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/logconfig.xml  (You will need to insert one line)

<!-- Rolling log file with default rollover of midnight. -->
<appender class="RollingFileAppender" name="TimeBasedRollingFile">
<param name="File" value="/opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/Logs/SAS_MetadataServer.log"/>
<param name="Append" value="false"/>

-   Afterwards, stop/restart your services.

Now, you can use the log file: /opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/Logs/SAS_MetadataServer.log  in your syslog-ng.conf

source sas_log { file("/opt/sas94/SASConfig/Lev1/SASMeta/MetadataServer/Logs/SAS_MetadataServer.log"); };

Note

1.  I do not know much about syslog-ng, so check the syntax carefully

2.  I did not test the above...but I believe the above would work.  You will need to test the above in a "test environment" before you change production configuration.

Thank you!

You decision is very good and simple.

I think, I try do that your say, if my decision not work.

😃

I do next thing's:

As I say I wrote simple script:

And  started it in nohup.

Syslog source - source { file "/tmp/arcsight" .......); };

Now, syslog reading log from /tmp/arcsight and send it to specified server.

Thank you one more time!
P.S. sorry for my English