Syslog and/or logrotate problem
Charles Steinkuehler
charles at steinkuehler.net
Fri Oct 25 12:00:06 CDT 2002
> I have 2 similar servers running rh 7.1. One of them rotates logs
just fine
> and the other does not. The failing one seems to write to one log,
then
> when it stops writing to that one and starts writing to the next, it
> actually deletes all the entries from the first log file. For
example, on
> Monday it will write to maillog. When I come in Tuesday morning,
maillog
> will be empty, and the server will be writing to maillog.1. Wednesday
> maillog and maillog.1 are empty, and it is writing to maillog.2. The
> logrotate.conf files are identical, syslog.conf files are identical,
the
> cron entries are identical, and the rc.local's are identical. One
> difference that I do see, is a ps -aux |grep log on each server shows
that
> one is running
>
> syslogd -m -0 -r
>
> while the other is running
>
> syslogd -m -0
>
> A final thing I have noticed is when I restart syslog, the system
starts
> writing to the first log file again, and starts cycling back through
the
> same (wrong) way.
>
> Any help is greatly appreciated...I am losing log files!
You're missing a command to cause your process to re-open it's log-file.
Typically something like sending it a -HUP or doing a service <whatever>
restart.
What's happening is the logrotate script is properly moving the file
(log -> log.1 -> log.2), but your server process is not re-opening the
file. Since the log file is just moved, the existing file-handle used
to write the file is still valid, so your server process happily
continues to write data to the newly re-named log file.
Take a look at some of the RedHat examples in /etc/logrotate.d, and
check out the logrotate man pages. You probably want to make a
postrotate script that causes your server to re-open it's log files.
For instance, the apache logrotate entry sends a -HUP:
[root at iguana root]# cat /etc/logrotate.d/apache
/var/log/httpd/access_log /var/log/httpd/agent_log
/var/log/httpd/error_log /var/log/httpd/referer_log {
daily
mail webmaster at newtek.com
compress
delaycompress
missingok
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null
|| true
endscript
}
Modify as required for your mail server...
Charles Steinkuehler
charles at steinkuehler.net
More information about the Kclug
mailing list