[syslog-ng] re-opening it's logs
Tim Rupp
caphrim007 at gmail.com
Tue Dec 8 16:59:49 CET 2009
will syslog-ng re-open it's log files if it finds that the size of the
log has suddenly decreased or the inode has changed or something
similar that may be caused by a logrotate? Or should I just get in the
habit of sighup'ing the process?
I have a log file on AFS space that seems to have stopped being
written to, but log files on the local system are still chugging along
just fine, so I think an errant rotate script is taking place on that
remote system and moving the file and syslog-ng isn't noticing.
My last log entry in the syslog-ng log is this
Dec 7 15:56:02 clogger syslog-ng[23479]: Initializing destination
file writer; template='/afs/files/data/k5logs/tmp/kdc.log',
filename='/afs/files/data/k5logs/tmp/kdc.log'
but, and this is my next question, that timestamp is ~8 hours off.
It's 9:47 am here and syslog-ng is writing Dec 8 01:38:01 into the
syslog-ng.log file. `date` command on the system is reporting
[root at clogger tarupp]# date
Tue Dec 8 09:43:16 CST 2009
and other log files have a correct date in them.
The related log config entries are
source s_internal { internal(); };
destination d_syslog { file("/logging/syslog-ng/syslog-ng.log"); };
log { source(s_internal); destination(d_syslog); };
a snippet of the syslog-ng.log file is
Dec 8 01:44:01 clogger syslog-ng[23479]: Closing log transport fd; fd='1043'
Dec 8 01:44:01 clogger syslog-ng[23479]: Destination timed out,
reaping; template='/logging/syslog-ng/$HOST/secure',
filename='/logging/syslog-ng/fnd0763/secure'
and there are a bunch of these going into the file. The "seconds" in
the timestamp also do not change even though time is. For example,
that 01 seconds could stay there for a minute or so for each log entry
and then a
Dec 8 01:45:31 clogger syslog-ng[23479]: Reaping unused destination
files; template='/logging/syslog-ng/$HOST/messages'
will come along and increment the seconds by 1; not to the new time though.
If I had to venture a guess, maybe the time_reap value is too low?
(ours is set to the default) and maybe we have such a large number of
one-shot hosts that syslog-ng is getting backed up writing to that log
file?
Any ideas?
Thanks,
Tim
More information about the syslog-ng
mailing list