I choose to continue in this thread as VI prompted me first time when log2ram was full that it cannot write to swap file. Feel free to put me in rigth thread
As some of users may experience problems with logs that are heavy for Pi distributions please explain how to disable log2ram indefinitely.
For my understanding btrfs filesystem commits writes to SD card or emmc based on fstab setting which you set by default as 600 sec, and I copied for SD card.
So anyway log data is buffered (or cached ) into RAM unitl commit kicks in. Right?
My solutions for big logs are:
1. Cron using sed to clean useless log data then pipe to xz ( take care as this is time consuming with big files, and xz may be memory killer with compression set to 8-9 or many threads )
sed 's/firewall.*src-mac//;s/NAT.*//;s/len.*//' mikrotik.2018.02.08.log | xz -8ev -M 800MiB > new.xz
2. Better but little more demanding - fiddle with syslog-ng config (if you have extensive logs header or other out of MSG box data you have to work it out yourself )
If you have some remote syslog configured add this template into log command
rewrite MT_log_subst{
subst("<begin.*end>", "<substitution>", value("MSG"), type(posix), flags("global") );
subst("<anotherregex>", "<anothersubst> ", value("MSG"), flags(global) );
};
that handles useless data in logs on fly yet taking some CPU attention.
More (maybe even too much) info below in pages 349-365;
https://syslog-ng.com/documents/html/syslog-ng-ose-3.8-guides/en/syslog-ng-ose-guide-admin/pdf/syslog-ng-ose-guide-admin.pdf#index