Files still opened after time_reap
Hi, I'm using syslog-ng 2.0.0 (yes I know...) on a debian loghost. Files generated via df_monitor (see configuration extract below) are deleted by the monitoring process about 4 min after having been written by syslog-ng. My problem is that these files remain opened (lsof | grep deleted) by syslog-ng after deleted whereas time_reap option is set to 30s. I googled the issue and just found https://lists.balabit.hu/pipermail/syslog-ng/2003-January/004416.html which is not my exact case (macros are actually used in filenames). I didn't find any bugfix/feature on time_reap in the changelog of subsequent versions ... Thanks in advance for your help Regards Erwan options { chain_hostnames(0); time_reopen(10); time_reap(30); log_fifo_size(8192); create_dirs(yes); group(adm); perm(0660); dir_group(adm); dir_perm(0755); use_dns(no); log_msg_size(4096); use_fqdn(yes); keep_hostname(yes); use_time_recvd(no); }; source s_machines { tcp(ip("890.123.456.789") port(514) max_connections(100)); }; template tpl_monitor { template("$S_YEAR-$S_MONTH-$S_DAY $S_HOUR:$S_MIN:$S_SEC $FULLHOST ==$LEVEL== [$PROGRAM] $MESSAGE\n"); template_escape(no); }; destination df_monitor { file("/var/log/monitor/$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR-$R_MIN" template(tpl_monitor) group(monitor) dir_perm(0775) dir_group(monitor) owner(loghost-maintainer)); }; destination dh_backup-loghost { tcp("123.456.789.890" port(514)); }; log{ source(s_machines); destination(df_monitor); destination(dh_backup-loghost); };
On Wed, 2010-07-07 at 11:18 +0200, Erwan Miran wrote:
Hi,
I'm using syslog-ng 2.0.0 (yes I know...) on a debian loghost. Files generated via df_monitor (see configuration extract below) are deleted by the monitoring process about 4 min after having been written by syslog-ng. My problem is that these files remain opened (lsof | grep deleted) by syslog-ng after deleted whereas time_reap option is set to 30s. I googled the issue and just found https://lists.balabit.hu/pipermail/syslog-ng/2003-January/004416.html which is not my exact case (macros are actually used in filenames). I didn't find any bugfix/feature on time_reap in the changelog of subsequent versions ...
Well, 2.0.0 really is ancient, and I can't really remember whether there was such a bug in it, but syslog-ng should definitely close those files, if macros are being used. (if no macros are used, time_reap is not applied). As a workaround, you could SIGHUP the syslog-ng process, that definitely closes all files. -- Bazsi
Balazs Scheidler a écrit :
On Wed, 2010-07-07 at 11:18 +0200, Erwan Miran wrote:
Hi,
I'm using syslog-ng 2.0.0 (yes I know...) on a debian loghost. Files generated via df_monitor (see configuration extract below) are deleted by the monitoring process about 4 min after having been written by syslog-ng. My problem is that these files remain opened (lsof | grep deleted) by syslog-ng after deleted whereas time_reap option is set to 30s. I googled the issue and just found https://lists.balabit.hu/pipermail/syslog-ng/2003-January/004416.html which is not my exact case (macros are actually used in filenames). I didn't find any bugfix/feature on time_reap in the changelog of subsequent versions ...
Well, 2.0.0 really is ancient, and I can't really remember whether there was such a bug in it, but syslog-ng should definitely close those files, if macros are being used. (if no macros are used, time_reap is not applied).
As a workaround, you could SIGHUP the syslog-ng process, that definitely closes all files.
You're right it's an ancient one, fyi my debian version is etch (but I guess your answer would have been the same with 2.0.9 provided by lenny or even ubuntu lucid)... I already use the workaround you describe when I detect the problem and will certainly have to cron the detection+sighup but it is not... neat. Btw is the issue present in subsequent versions? Regards Erwan
On Wed, 2010-07-07 at 20:22 +0200, Erwan Miran wrote:
Balazs Scheidler a écrit :
On Wed, 2010-07-07 at 11:18 +0200, Erwan Miran wrote:
Hi,
I'm using syslog-ng 2.0.0 (yes I know...) on a debian loghost. Files generated via df_monitor (see configuration extract below) are deleted by the monitoring process about 4 min after having been written by syslog-ng. My problem is that these files remain opened (lsof | grep deleted) by syslog-ng after deleted whereas time_reap option is set to 30s. I googled the issue and just found https://lists.balabit.hu/pipermail/syslog-ng/2003-January/004416.html which is not my exact case (macros are actually used in filenames). I didn't find any bugfix/feature on time_reap in the changelog of subsequent versions ...
Well, 2.0.0 really is ancient, and I can't really remember whether there was such a bug in it, but syslog-ng should definitely close those files, if macros are being used. (if no macros are used, time_reap is not applied).
As a workaround, you could SIGHUP the syslog-ng process, that definitely closes all files.
You're right it's an ancient one, fyi my debian version is etch (but I guess your answer would have been the same with 2.0.9 provided by lenny or even ubuntu lucid)...
sid already has 3.1.1 and that's automatically propagated to ubuntu. but we also provide .deb packages on our website (although it carries all of our dependencies instead of using the system supplied ones).
I already use the workaround you describe when I detect the problem and will certainly have to cron the detection+sighup but it is not... neat. Btw is the issue present in subsequent versions?
I don't know about -- Bazsi
participants (2)
-
Balazs Scheidler
-
Erwan Miran