Syslog and/or logrotate problem

Charles Steinkuehler charles at steinkuehler.net
Fri Oct 25 12:00:06 CDT 2002 

> I have 2 similar servers running rh 7.1.  One of them rotates logs
just fine
> and the other does not.  The failing one seems to write to one log,
then
> when it stops writing to that one and starts writing to the next, it
> actually deletes all the entries from the first log file.  For
example, on
> Monday it will write to maillog.  When I come in Tuesday morning,
maillog
> will be empty, and the server will be writing to maillog.1.  Wednesday
> maillog and maillog.1 are empty, and it is writing to maillog.2.  The
> logrotate.conf files are identical, syslog.conf files are identical,
the
> cron entries are identical, and the rc.local's are identical.  One
> difference that I do see, is a ps -aux |grep log on each server shows
that
> one is running
>
> syslogd -m -0 -r
>
> while the other is running
>
> syslogd -m -0
>
> A final thing I have noticed is when I restart syslog, the system
starts
> writing to the first log file again, and starts cycling back through
the
> same (wrong) way.
>
> Any help is greatly appreciated...I am losing log files!

You're missing a command to cause your process to re-open it's log-file.
Typically something like sending it a -HUP or doing a service <whatever>
restart.

What's happening is the logrotate script is properly moving the file
(log -> log.1 -> log.2), but your server process is not re-opening the
file.  Since the log file is just moved, the existing file-handle used
to write the file is still valid, so your server process happily
continues to write data to the newly re-named log file.

Take a look at some of the RedHat examples in /etc/logrotate.d, and
check out the logrotate man pages.  You probably want to make a
postrotate script that causes your server to re-open it's log files.
For instance, the apache logrotate entry sends a -HUP:

[root at iguana root]# cat /etc/logrotate.d/apache
/var/log/httpd/access_log /var/log/httpd/agent_log
/var/log/httpd/error_log /var/log/httpd/referer_log {
    daily
    mail webmaster at newtek.com
    compress
    delaycompress
    missingok
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null
|| true
    endscript
}

Modify as required for your mail server...

Charles Steinkuehler
charles at steinkuehler.net

More information about the Kclug mailing list