It is a bit hard to believe that after receiving a HUP signal syslog-ng keeps destination files open, keep-alive isn't implemented there. did you signal the supervisor process maybe?

# pgrep -fl syslog-ng
30742 supervising syslog-ng
30743 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid --fd-limit 262144

# lsof -p 30743 | grep -c deleted
285

# kill -HUP 30743

# echo $?
0

# lsof -p 30743 | grep -c deleted
290

>I'd check syslog-ng's messages.

The only one message is there:
Jul 24 09:40:50 syslog-host syslog-ng[30743]: Configuration reload request received, reloading configuration;


> BTW did you check whether the file is still being written or not?

Syslog-NG started to write to the new file at 23:59:59 just as it should. I'm seeing new log lines in the new log files started at 00:00:05. So it seems to be ok.

> You're using the date extracted from the incoming log messages so when a client still sends logs with the given day then syslog-ng will keep writing to that file so it won't close it - thus if another process unlinked it then lsof will show the file as deleted.

All the apps are configured to send logs in UTC as well as syslog-ng host is configured in UTC. Just re-checked it, the time seems to be in sync everywhere.



On Wed, Jul 24, 2013 at 1:31 PM, Sandor Geller <Sandor.Geller@morganstanley.com> wrote:
It is a bit hard to believe that after receiving a HUP signal syslog-ng keeps destination files open, keep-alive isn't implemented there. did you signal the supervisor process maybe? I'd check syslog-ng's messages.

BTW did you check whether the file is still being written or not? You're using the date extracted from the incoming log messages so when a client still sends logs with the given day then syslog-ng will keep writing to that file so it won't close it - thus if another process unlinked it then lsof will show the file as deleted.


On Wed, Jul 24, 2013 at 11:12 AM, Anton Koldaev <koldaevav@gmail.com> wrote:
Hi, I'm using Syslog-NG OSE v.3.3.7-1~mhp1~lucid (Ubuntu Lucid)
And I have the following destination file():
    file("/u/logs/`app`/${MONTH}${DAY}/${1}/${1}${2}/${LOGSORT.ACCOUNT}.log"

Syslog-NG switches to the new file at 23:59:59 every day just fine but for some reason it leaves files for the previous day open:
# date
Wed Jul 24 09:04:19 UTC 2013
# lsof | grep a/ac/account.log
syslog-ng 30743     root 3351w      REG              252,2    72597491   66306075 /u/logs/app/0723/a/ac/account.log (deleted)
syslog-ng 30743     root 4896w      REG              252,2    17017519    4572052 /u/logs/app/0724/a/ac/account.log

And they're being deleted by my rotating script.
Reloading syslog-ng using init script or with `kill -HUP` doesn't help - all deleted files are still open by syslog-ng.
Global option "time_reap (30);" doesn't seem to help too.

Any ideas?


--
Best regards,
Koldaev Anton

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq




______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq





--
Best regards,
Koldaev Anton