Not writing to new logfile after rotate and restart
I have a rather straightforward syslog-ng.conf. I write all messages from the local host to /var/adm/messages and things that come from the net to a separate (customer specific file) filtered on the source host. All works well except that I can't rotate the customer specific logfiles. I can rotate /var/adm/messages. doing: # mv /var/adm/messages /var/adm/messages.0 # kill -HUP `cat /etc/syslog-ng/syslog-ng.pid` and new log are written to /var/adm/messages BUT: # mv /data/customer-logs/491 /data/customer-logs/491.0 # kill -HUP `cat /etc/syslog-ng/syslog-ng.pid` and new messages are still written to data/customer-logs/491.0 I also tried stopping and starting syslog-ng and moving the file somewhere completly different. It still magically remembers the old file. Any idea ?? Relevant part of my config: source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); }; destination syslogfile { file("/var/adm/messages"); }; log { source(local); destination(syslogfile); }; source net { udp(); }; filter filter491 { host("12.34.56.78");}; destination logfile491 { file("/data/customer-logs/log491" perm(0644)); }; log { source(net); filter(filter491); destination(logfile491); }; (I'm using syslog-ng-1.4.14 on SunOS 5.8 sparc) Thanks, -- Wim Livens. IP Security Engineer. C o l t B e l g i u m
On Mon, Feb 18, 2002 at 01:00:27PM +0100, Livens Wim wrote:
I have a rather straightforward syslog-ng.conf. I write all messages from the local host to /var/adm/messages and things that come from the net to a separate (customer specific file) filtered on the source host. All works well except that I can't rotate the customer specific logfiles. I can rotate /var/adm/messages.
doing: # mv /var/adm/messages /var/adm/messages.0 # kill -HUP `cat /etc/syslog-ng/syslog-ng.pid`
and new log are written to /var/adm/messages
BUT: # mv /data/customer-logs/491 /data/customer-logs/491.0 # kill -HUP `cat /etc/syslog-ng/syslog-ng.pid`
and new messages are still written to data/customer-logs/491.0
I also tried stopping and starting syslog-ng and moving the file somewhere completly different. It still magically remembers the old file.
hmm.. are you HUP-ping the correct pid? you could possibly truss syslog-ng while sending the HUP to see whether it closes and reopens its files. (it should do so) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Is your /data an NFS mounted partition, or is it a local partition exactly like /var? The only way you'll get old logfiles filling after a HUP is: syslog-ng wasn't actually HUPped (Which is unlikely, since the new /var/adm/messages is being updated), or The inode for 491 isn't being properly changed. If your filesystem isn't a local filesystem it's possible the file move is being handled oddly by NFS, or whatever filesystem it is. I've never seen it before, but it could happen, I guess. Have you tried touching the new 491 logfile before hupping syslog-ng? Brian On Mon, Feb 18, 2002 at 01:00:27PM +0100, Livens Wim wrote:
I have a rather straightforward syslog-ng.conf. I write all messages from the local host to /var/adm/messages and things that come from the net to a separate (customer specific file) filtered on the source host. All works well except that I can't rotate the customer specific logfiles. I can rotate /var/adm/messages.
doing: # mv /var/adm/messages /var/adm/messages.0 # kill -HUP `cat /etc/syslog-ng/syslog-ng.pid`
and new log are written to /var/adm/messages
BUT: # mv /data/customer-logs/491 /data/customer-logs/491.0 # kill -HUP `cat /etc/syslog-ng/syslog-ng.pid`
and new messages are still written to data/customer-logs/491.0
I also tried stopping and starting syslog-ng and moving the file somewhere completly different. It still magically remembers the old file.
Any idea ??
Relevant part of my config:
source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); }; destination syslogfile { file("/var/adm/messages"); }; log { source(local); destination(syslogfile); };
source net { udp(); }; filter filter491 { host("12.34.56.78");}; destination logfile491 { file("/data/customer-logs/log491" perm(0644)); }; log { source(net); filter(filter491); destination(logfile491); };
(I'm using syslog-ng-1.4.14 on SunOS 5.8 sparc)
Thanks,
-- Wim Livens. IP Security Engineer. C o l t B e l g i u m
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
we have destination console { file("/var/log/messages" ); }; and still we have messages from a remote mail server's POP3D arriving at port 514 that get logged to console. Some of these messages we have written to special thats is tailed for pop-before-smtp access control in postfix, and they get routed and filtered ok, but some we that arrive that we don't care about nor filter for are showing up on the console. what's the trick to a completely quiet console? Len http://MenAndMice.com/DNS-training http://BIND8NT.MEIway.com : ISC BIND for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways
On Tue, Feb 19, 2002 at 06:04:20PM -0600, Len Conrad wrote:
we have
destination console { file("/var/log/messages" ); };
and still we have messages from a remote mail server's POP3D arriving at port 514 that get logged to console. Some of these messages we have written to special thats is tailed for pop-before-smtp access control in postfix, and they get routed and filtered ok, but some we that arrive that we don't care about nor filter for are showing up on the console.
what's the trick to a completely quiet console?
My syslog-ng conf file started life as the one that comes with the debian syslog-ng package. It has these console-related destination lines: # The root's console. # destination console { usertty("root"); }; # Virtual console. # destination console_all { file("/dev/tty8"); }; # The named pipe /dev/xconsole is for the nsole' utility. To use it, # you must invoke nsole' with the -file' option: # # $ xconsole -file /dev/xconsole [...] # destination xconsole { pipe("/dev/xconsole"); }; Maybe you have some console lines you don't see? -- Nate "C(++) is a write-only, high-level assembler language." - Stefan Van Baelen.
My syslog-ng conf file started life as the one that comes with the debian syslog-ng package.
mine, comes with FreeBSD 4.5 port of syslog-ng, emulates the system's syslog.conf.
It has these console-related destination lines:
# The root's console. # destination console { usertty("root"); };
# Virtual console. # destination console_all { file("/dev/tty8"); };
# The named pipe /dev/xconsole is for the nsole' utility. To use it, # you must invoke nsole' with the -file' option: # # $ xconsole -file /dev/xconsole [...] # destination xconsole { pipe("/dev/xconsole"); };
Maybe you have some console lines you don't see?
vi's /con gave me nothing. I have this: destination console { file("/var/log/messages" ); }; destination root { usertty("root"); }; destination allusers { usertty("*"); }; destination pop3d { file("/var/log/imail-pop.log"); }; I'm working over ssh and can't see the console. From what the client tells me, the only stuff showing up on the console is POP3D lines that we don't capture with our POP3D filter that grabs "successful logon account@domain ip.ad.re.ss" lines. it sorta sounds like the lines on the console have nowhere else to go. if figgered console to messages file would grab them all. Len
On Tue, Feb 19, 2002 at 07:56:26PM -0600, Len Conrad wrote:
My syslog-ng conf file started life as the one that comes with the debian syslog-ng package.
mine, comes with FreeBSD 4.5 port of syslog-ng, emulates the system's syslog.conf.
It has these console-related destination lines:
# The root's console. # destination console { usertty("root"); };
# Virtual console. # destination console_all { file("/dev/tty8"); };
# The named pipe /dev/xconsole is for the nsole' utility. To use it, # you must invoke nsole' with the -file' option: # # $ xconsole -file /dev/xconsole [...] # destination xconsole { pipe("/dev/xconsole"); };
Maybe you have some console lines you don't see?
vi's /con gave me nothing.
I have this:
destination console { file("/var/log/messages" ); }; destination root { usertty("root"); }; destination allusers { usertty("*"); }; destination pop3d { file("/var/log/imail-pop.log"); };
Just a shot in the dark, but try removing the root and allusers destinations. -- Garrett Kuchta [gkuchta[at]astro.umn.edu] Assistant System Manager Dept. of Astronomy University of Minnesota, Twin Cities http://www.astro.umn.edu/~gkuchta
On Tue, Feb 19, 2002 at 08:06:57PM -0600, gkuchta@astro.umn.edu wrote:
On Tue, Feb 19, 2002 at 07:56:26PM -0600, Len Conrad wrote:
My syslog-ng conf file started life as the one that comes with the debian syslog-ng package.
mine, comes with FreeBSD 4.5 port of syslog-ng, emulates the system's syslog.conf.
I have this:
destination console { file("/var/log/messages" ); }; destination root { usertty("root"); }; destination allusers { usertty("*"); }; destination pop3d { file("/var/log/imail-pop.log"); };
Just a shot in the dark, but try removing the root and allusers destinations.
More important are any log statements that actually use the root or allusers destinations. Are there any? I was thinking of installing FreeBSD tonight anyways (unrelated project) - if I do I'll mess with the syslog-ng port and see what I find. -- Nate So unleash your nmap-from-hell and beware, you may tickle an obscure bug in an ancient box hand-built by Seymour Cray himself, the only one of its kind ever made, whose sole user pays the salaries of everyone you ever met in the entire time you worked at the company, with money he makes with an investment strategy hand-coded in assembler for this special machine, by an analytic wizard who has since died.
More important are any log statements that actually use the root or allusers destinations. Are there any? I was thinking of installing FreeBSD tonight anyways (unrelated project) - if I do I'll mess with the syslog-ng port and see what I find.
Nate, your suggestion of working on log statements with root or alluses led us to the solution. thanks http://MenAndMice.com/DNS-training http://BIND8NT.MEIway.com : ISC BIND for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways
participants (6)
-
Balazs Scheidler
-
Brian Thomas
-
gkuchta@astro.umn.edu
-
Len Conrad
-
Livens Wim
-
Nate Campi