<div dir="auto">In Unix you can rename an opened file, and any processes having that file open will continue to write to that file.<div dir="auto"><br></div><div dir="auto">So this is what should happen:</div><div dir="auto">* Logrotate moves the current log file to a different name</div><div dir="auto">* Logrotate alerts snmptrapd that it needs to write to the new file (usually via SIGHUP)</div><div dir="auto">* syslog-ng continues to read the old file (keeping it opened during the process above, e.g. still referencing the old file even if it has been renamed</div><div dir="auto">* When eof is reached, syslog-ng checks if there's a different file with the original name.</div><div dir="auto">* If there's it switches to it.</div><div dir="auto">* The renamed "old" logfile can be compressed/moved away/etc.</div><div dir="auto"><br></div><div dir="auto">This handshake ensures that no data is lost.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 21, 2019, 17:41 Allen Pouratian <<a href="mailto:Allen.Pouratian@alticeusa.com" target="_blank" rel="noreferrer">Allen.Pouratian@alticeusa.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_-4708140089481910009m_6919632631333712008WordSection1">
<p class="MsoNormal">Balázs –<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">What guarantee is there that I won’t lose traps? <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="m_-4708140089481910009m_6919632631333712008MsoListParagraph" style="margin-left:0in">Does logrotate make sure snmptrapd has finished writing to
<b>"/var/log/snmptrapd.log"? </b>Is the write by snmptrapd 5.7.3+ always atomic for one or more traps?<u></u><u></u></li><li class="m_-4708140089481910009m_6919632631333712008MsoListParagraph" style="margin-left:0in">Does syslog-ng 3.20.1 make sure it instantly reads every trap written by snmptrapd to
<b>"/var/log/snmptrapd.log" </b>before it’s switched out by logrotate?<u></u><u></u></li></ol>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I apologize if this is basic knowledge I’m not aware of.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Best Regards,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">-Allen<u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" rel="noreferrer noreferrer" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>> <b>
On Behalf Of </b>Scheidler, Balázs<br>
<b>Sent:</b> Monday, May 20, 2019 11:55 AM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" rel="noreferrer noreferrer" target="_blank">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] snmptrap handler parses SNMP traps correctly, but the file it reads from is not emptying<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:red">[External Email]</span></b><span style="font-size:12.0pt;color:red"><u></u><u></u></span></p>
</div>
<div>
<div>
<p class="MsoNormal">Just set up logrotate on that file, syslog-ng will read till the end and start the new one if the rotation happens.
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">So instead of truncating, rename it to a new name, and let snmptrapd write to a new file.<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Mon, May 20, 2019, 15:55 Allen Pouratian <<a href="mailto:Allen.Pouratian@alticeusa.com" rel="noreferrer noreferrer" target="_blank">Allen.Pouratian@alticeusa.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Hello –<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I set up snmptrapd to write to
<b>/var/log/snmptrapd.log</b> and syslog-ng is configured to read from it like this …<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-family:Consolas">source {
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="text-indent:.5in">
<b><span style="font-family:Consolas">snmptrap(filename("/var/log/snmptrapd.log"));
</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-family:Consolas">};</span></b><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<u></u><u></u></p>
<p class="MsoNormal">… but
<b>/var/log/snmptrapd.log</b> is not getting emptied, so it needs to be truncated every so often to avoid filling up the filesystem.<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<u></u><u></u></p>
<p class="MsoNormal">But the problem with truncating
<b>/var/log/snmptrapd.log</b> is that we’re going to lose traps, since we get a lot of them.<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<u></u><u></u></p>
<p class="MsoNormal">When I was testing this syslog-ng snmptrap facility with a few traps a minute, I saw
<b>/var/log/snmptrapd.log</b> empty, but with hundreds of traps incoming per second, it does not empty any more.<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<u></u><u></u></p>
<p class="MsoNormal">I have what looks like a work-around to the syslog-ng snmptrap handler/parser where …<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<u></u><u></u></p>
<ol start="1" type="1">
<li class="m_-4708140089481910009m_6919632631333712008m4692089798487277835msolistparagraph">
1) Snmptrapd 5.7.3 writes to syslog with -Lsd<u></u><u></u></li><li class="m_-4708140089481910009m_6919632631333712008m4692089798487277835msolistparagraph">
2) Syslog-ng 3.20 reads from syslog with system-journal()<u></u><u></u></li><li class="m_-4708140089481910009m_6919632631333712008m4692089798487277835msolistparagraph">
3) Rewrite the trap $MESSAGE with a series of “substitutions” (subst) into space separated key=value pairs<u></u><u></u></li><li class="m_-4708140089481910009m_6919632631333712008m4692089798487277835msolistparagraph">
4) point kv-parser() at $MESSAGE and specify “ “ as a separator <u></u><u></u></li><li class="m_-4708140089481910009m_6919632631333712008m4692089798487277835msolistparagraph">
5) delete the original $MESSAGE block<u></u><u></u></li></ol>
<p class="MsoNormal" style="margin-left:.5in">
<u></u><u></u></p>
<p class="MsoNormal">… but perhaps I didn’t have to do that, since perhaps I’m mis-using the snmptrap facility built into syslog-ng, and thus causing
<b>/var/log/snmptrapd.log</b> to not empty.<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<u></u><u></u></p>
<p class="MsoNormal">Your comments and insights would be appreciated.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">- Allen<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
--------------------------------------------------------<br>
The information transmitted in this email and any of its attachments is intended only for the person or entity to which it is addressed and may contain information concerning Altice USA and/or its affiliates and subsidiaries that is proprietary, privileged,
confidential and/or subject to copyright. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient(s) is prohibited and may be unlawful. If
you received this in error, please contact the sender immediately and delete and destroy the communication and all of the attachments you have received and all copies thereof.<br>
--------------------------------------------------------<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">______________________________________________________________________________<br>
Member info: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwMFaQ&c=j5qhuXVFDG9qAPVzJdE5nsirLGtagR5tRVwNBd9MNeo&r=BBDIJ7y03FqO0tp_wGoZn961RS3d3lkq0jHFc3Knid4&m=uVtE5BY0NtoZSHcV7M9rVxkmtCUx34u93UPnbMDlgco&s=-wSgv6P6Tu67nZwvsDpZ8FSGWw3vRdbr9k2k8lOsYN8&e=" rel="noreferrer noreferrer" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwMFaQ&c=j5qhuXVFDG9qAPVzJdE5nsirLGtagR5tRVwNBd9MNeo&r=BBDIJ7y03FqO0tp_wGoZn961RS3d3lkq0jHFc3Knid4&m=uVtE5BY0NtoZSHcV7M9rVxkmtCUx34u93UPnbMDlgco&s=qEw0ZLUxEifTpc9_6CVz8tXvfTCvtmcMX3nvPyriky8&e=" rel="noreferrer noreferrer" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwMFaQ&c=j5qhuXVFDG9qAPVzJdE5nsirLGtagR5tRVwNBd9MNeo&r=BBDIJ7y03FqO0tp_wGoZn961RS3d3lkq0jHFc3Knid4&m=uVtE5BY0NtoZSHcV7M9rVxkmtCUx34u93UPnbMDlgco&s=1ihsxbF1hC0FOjy9_eIGny6fXBoHYk5XPxzJxAB9-Gg&e=" rel="noreferrer noreferrer" target="_blank">
http://www.balabit.com/wiki/syslog-ng-faq</a><u></u><u></u></p>
</blockquote>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b><span style="color:red">Caution: This email originated outside of Altice USA. Please do not click links or attachments unless you recognize the sender and know the content is
safe.</span></b><span style="color:red"><u></u><u></u></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;color:red"><u></u> <u></u></span></p>
</div>
</div>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>