From 10faf2a02795d6db40079fee12a4870397cba829 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Thu, 21 May 2020 21:02:03 -0700 Subject: [PATCH] Refine archive documentation * Clarify archive documenatation * Include a bacskslash escape for angle brackets --- docs/configuration.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 35d931d..82263a0 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -44,7 +44,7 @@ separately from that of the alternates below. | Variable | Values | Description | |----------|---------------|-------------| | SC4S_DEST_GLOBAL_ALTERNATES | Comma or space-separated list of syslog-ng destinations | Send all sources to alternate destinations | -| SC4S_DEST_\_ALTERNATES | Comma or space-separated list of syslog-ng destiinations | Send specific sources to alternate syslog-ng destinations, e.g. SC4S_DEST_CISCO_ASA_ALTERNATES | +| SC4S_DEST_\_ALTERNATES | Comma or space-separated list of syslog-ng destiinations | Send specific sources to alternate syslog-ng destinations, e.g. SC4S_DEST_CISCO_ASA_ALTERNATES | ## SC4S Disk Buffer Configuration @@ -85,24 +85,25 @@ total buffer size needed. To determine the proper size of the disk buffer, consu ## Archive File Configuration -This feature is designed to support compliance or "diode mode" archival of all messages. Instructions for enabling this feature are included -in each "getting started" runtime document. The files will be stored in a folder structure using the pattern shwon in the table below -depending on the value of the `SC4S_GLOBAL_ARCHIVE_MODE` variable. All events for both modes are formatted using syslog-ng's EWMM template. +This feature is designed to support compliance or "diode mode" archival of all messages. Instructions for mounting the appropriate +local directory to use this feature are included in each "getting started" runtime document. The files will be stored in a folder +structure at the mount point using the pattern shown in the table below depending on the value of the `SC4S_GLOBAL_ARCHIVE_MODE` variable. +All events for both modes are formatted using syslog-ng's EWMM template. -| Variable | Values/Default | Location/Pattern | +| Variable | Value/Default | Location/Pattern | |----------|------------------|------------------| | SC4S_GLOBAL_ARCHIVE_MODE | compliance(default) | ``/${YEAR}/${MONTH}/${DAY}/${fields.sc4s_vendor_product}_${YEAR}${MONTH}${DAY}${HOUR}${MIN}.log"`` | | SC4S_GLOBAL_ARCHIVE_MODE | diode | ``/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-archive.log`` | **WARNING POTENTIAL OUTAGE CAUSING CONSEQUENCE** -SC4S does not prune the files that are created. The administrator must provide a means of log rotation to prune files -and/or move them to an archival system to avoid exhaustion of disk space. +Use the following variables to select global archiving or per-source archiving. C4S does not prune the files that are created; +therefore the administrator must provide a means of log rotation to prune files and/or move them to an archival system to avoid exhaustion of disk space. | Variable | Values | Description | |----------|---------------|-------------| | SC4S_ARCHIVE_GLOBAL | yes or undefined | Enable archive of all vendor_products | -| SC4S_ARCHIVE_LISTEN_ | yes(default) or undefined | See sources section of documentation enables selective archival | +| SC4S_ARCHIVE_LISTEN_\ | yes(default) or undefined | See sources section of documentation enables selective archival | ## Syslog Source Configuration