RE: [syslog-ng]deleting log files - syslog-ng]
Hello On Fri, Oct 26, 2001 at 12:11:48PM +0200, Thomas Kaehn wrote:
cp /some/where/file.log /some/where/old/file.log.old cp /dev/null /some/where/file.log This way, file still exists and file descriptos are not closed. However, this is not atomic, one might lose logged lines before file is truncated.
Better idea: mv logfile logfile.old kill -WHATEVER syslog-ng This way it would continue writing into the moved file until I restart it which would flush buffers, close the file and then crate a new one. But a fstat() call at each write would be a more elegant solutuion if it doesn't slow down writing too much.
-MNi
bye, -christian- -- Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for Professionals Fax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
On Fri, Oct 26, 2001 at 12:11:48PM +0200, Thomas Kaehn wrote:
cp /some/where/file.log /some/where/old/file.log.old cp /dev/null /some/where/file.log This way, file still exists and file descriptos are not closed. However, this is not atomic, one might lose logged lines before file is truncated.
Better idea: mv logfile logfile.old kill -WHATEVER syslog-ng This way it would continue writing into the moved file until I restart it which would flush buffers, close the file and then crate a new one.
That's correct. But, if you'd prefer not restarting syslog-ng, then one might use cp. On our case, we have another process parsing the syslog output, hence mv'ing logfile and restarting syslog-ng necessitates restarting the parser process as well...
But a fstat() call at each write would be a more elegant solutuion if it doesn't slow down writing too much.
Can't comment this performance issue, perhaps Bazsi has given it a thought? -MNi
You might also want to try using lsof to see who and what has the log file pinned open (although it should be obvious) if your OS freezes the file context in open mode while that instance of the application is running. T ----- Original Message ----- From: "Mikko Niskanen" <mikko.niskanen@soon.fi> To: <syslog-ng@lists.balabit.hu> Sent: Friday, October 26, 2001 4:31 AM Subject: RE: [syslog-ng]deleting log files - syslog-ng]
On Fri, Oct 26, 2001 at 12:11:48PM +0200, Thomas Kaehn wrote:
cp /some/where/file.log /some/where/old/file.log.old cp /dev/null /some/where/file.log This way, file still exists and file descriptos are not closed. However, this is not atomic, one might lose logged lines before file is truncated. Better idea: mv logfile logfile.old kill -WHATEVER syslog-ng This way it would continue writing into the moved file until I restart it which would flush buffers, close the file and then crate a new one.
That's correct. But, if you'd prefer not restarting syslog-ng, then one might use cp. On our case, we have another process parsing the syslog output, hence mv'ing logfile and restarting syslog-ng necessitates restarting the parser process as well...
But a fstat() call at each write would be a more elegant solutuion if it doesn't slow down writing too much.
Can't comment this performance issue, perhaps Bazsi has given it a thought?
-MNi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
On Fri, Oct 26, 2001 at 02:31:56PM +0300, Mikko Niskanen wrote:
On Fri, Oct 26, 2001 at 12:11:48PM +0200, Thomas Kaehn wrote: But a fstat() call at each write would be a more elegant solutuion if it doesn't slow down writing too much.
Can't comment this performance issue, perhaps Bazsi has given it a thought?
fstat() is crude, at least I don't like it (tm) :) you might try the afremctl interface, however it's also a bit crude, though working: source ctl { unix-stream("/dev/logctl"); }; destination dst { remote_control(); }; filter f_reopen { program("reopen"); }; log { source(ctl); filter(f_reopen); destination(dst); }; --- and send a message to /dev/logctl (using logger for example), coming from a command named "reopen" with contents having the filename to be reopened. so for example: (strictly untested, just like the above config): logger -u /dev/logctl -t reopen /var/log/messages This hack was implemented by _tgz. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (4)
-
Balazs Scheidler
-
Christian Hammers
-
Mikko Niskanen
-
todd glassey