[syslog-ng]logs getting stomped on

Brian Landers brian@bluecoat93.org
Wed, 29 Jan 2003 23:25:08 -0500


Sorry to keep harping on this guys, but this is a ^%$#@ mystery!
Once again, my mail log restarted at around 10:30pm tonight.  Lest
you think I'm just whining and not making an effort to solve this 
one, here's what I've come up with:

1) I've checked all of my crontabs and at jobs, and there's nothing
that runs around that time.

2) Went through all the long-running processes.  Nothing that would
interact with syslog-ng or the log files directly.  No processes
started or restarted around that time in ps.  No weird logins around
that time that would seem to indicate operator error.

3) My /var/adm/messages file did NOT restart, just the mail logs
coming in from the remote SSH tunnels.

4) I changed my syslog-ng.conf to not use macros for the filename,
but rather to log to a static filename "current.log".  Didn't help.

5) I added a second destination, breaking out the logs by hour:

destination inboundlog  {
  file("/system/inbound_mail/logs/current.log");
  file("/system/inbound_mail/logs/$YEAR/$MONTH/$DAY/$HOUR.log");
};

current.log had the entire day's logs, and was truncated and
restarted at 22:33:04, however the hourly log 2003/01/29/22.log
was NOT, it kept right on ticking.

6) total size of messages logged up to 22:33:04 was approximately
29mb, so largefile issues should not be a factor.

I'm at a loss here, folks.  I'm ready to consult an exorcist.  I
seem to have a workaround in that my logs split out by hour don't
appear to be getting truncated, but I'd love to track this one
down.  Any suggestions for things I've haven't considered or should
I start shopping for goats and black candles?

Thanks,
Brian


P.S. sorry for the threading issues, was reading through the web
archives but I've now joined the list since I'm busily replacing
Solaris syslog everywhere with syslog-ng!


-- 
"We've heard that a million monkeys at a million keyboards coud 
produce the complete works of Shakespeare; now, thanks to the 
Internet, we know that is not true."