I am setting up linux log file monitoring, but I want to understand how it functionally works. I cannot find a good explanation anywhere. My concern is large log files. Is there a recommended log file size limit for most efficient operation?
Once the monitor is set up, how is it actually monitored by the cross plat agent. Does the agent scan the entire file every "X" amount of time? Does it maintain a tail on the log watching for the regex coming through? If the agent scans the log every so often I would anticipate increased overhead due to large log files.
Anyone have a good explanation for me? What can I expect as way of performance for large log files?