Truncate /var/log/syslog, or read from end?

[MatthewClarkMay]

If there are residual logs in /var/log/syslog, they will all be processed by DataServer.py when initialized. I would prefer if it only processed real time events.

Two options:

1. Truncate /var/log/syslog when DataServer.py is initialized.
2. Start reading from end of /var/log/syslog.

Thoughts/Ideas?

[diegodblr]

I liked the second option

[zaxfenfeiyu]

I like the first, truncate the syslog when run DataServer.py once time.
And I also do that.
The syslog.py can run all the time, even restart DataServer.py several times.
And if never truncate the syslog,it will be bigger and bigger.

[diegodblr]

The log files should not be modified in my opinion. Better work on the application so it reads only the new data and not from start to finish how it is done. Another interesting option I make here is to transfer the log that arrives in syslog to a specific file. This makes things easier because it does not mix attack logs with system logs, access, etc ... It is possible by editing the configuration file of your log system and put something like this:

if $fromhost-ip startswith '192.168.0.2' then /var/log/snort.log