[syslog-ng] syslog-ng not following symlinks correctly on UBUNTU, works fine in RHEL

Donatello D bluray.vik at gmail.com
Sun Jul 1 03:21:25 UTC 2018 

@Jim - this is what i use as a  workaround already, but it is
sub-optimal, as there will be other files that are rolled over in
different intervals, so i end up reloading config multiple times.

the real question is why does it work in RHEL and fail in UBUNTU?


> Date: Sat, 30 Jun 2018 20:31:59 -0400
> From: Jim Hendrick <james.r.hendrick at gmail.com>
> To: "Syslog-ng users' and developers' mailing list"
>         <syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] syslog-ng not following symlinks correctly on
>         UBUNTU, works fine in RHEL
> Message-ID:
>         <CANEn2idABV25G1vFa4B=WhOyuHjd3HwLMKFBHgqydH6zvH0H9w at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> hardlinks are simply additional pointers to the same inode.
> symlinks contain the name of the referenced object
>
> If you want a hack - maybe have syslog-ng reload after the file changes?
> (SIGHUP)
>
>
>
> On Sat, Jun 30, 2018 at 12:56 PM, Ankit Agarwal <ankit at travelmyheart.org>
> wrote:
>
> > Hi,
> >
> > I ran into a similar problem on Ubuntu as well.
> >
> > In my case, I was tracking the Tomcat localhost log file in syslog-ng but
> > Tomcat creates a new log file everyday by default, and the filename changes
> > (since it includes the date).
> >
> > Therefore, I periodically created a softlink to the localhost log file
> > where the link had a constant name. The constant name is needed because I
> > obviously cannot keep changing the syslog-ng configuration to match the
> > day's localhost log file name.
> >
> > I found that the softlink did not work.
> >
> > Instead I had to create a hardlink.
> >
> > This is because the softlink's modified date does not change when the
> > underlying file changes. The hardlink's modified date does change since it
> > is pointing to the actual data. We need the modified date to change for the
> > syslog-ng client to pick up new log entries.
> >
> > In my case, I periodically ran the following command via CRON in the
> > Tomcat logs directory:
> >
> > sudo ln -f $(ls -t localhost.* | head -1) tomcat_localhost.log
> >
> > This is to get the latest localhost log file and create the hardlink for
> > it (overwriting the older hardlink that may have been pointing to the
> > previous day's localhost log file).
> >
> > I ran this every hour just to be safe.
> >
> >
> > So in your case, I think you would just need to recreate the hardlink as
> > soon as your log file is rotated.
> >
> >
> > Hope this helps.
> >
> > Ankit
> >
> >
> >
> > ---- On Sat, 30 Jun 2018 01:13:44 -0700 *Donatello D
> > <bluray.vik at gmail.com <bluray.vik at gmail.com>>* wrote ----
> >
> > syslog-ng is configured to read a symlink pointing to logs generated from
> > my application which rotates the file using log4j2 rollingfile appender.
> > Everything works fine till the rotation happens. after the file get rotated
> > syslog-ng still seems to hold on to the older inode (which is not moved)
> > and doesn't change to follow the new logs. this however does not happen in
> > RHEL where syslog-ng recognizes the file is now rotated and moves to the
> > new file. In both cases the sym link is always configured to point to the
> > latest file. version details and logs from both OSs below.
> >
> > What am i missing here?
> >
> > UBUNTU -
> > syslog-ng 3.5.6
> > Installer-Version: 3.5.6
> > Revision: 3.5.6-2.1 [@416d315] (Ubuntu/16.04)
> > Compile-Date: Oct 24 2015 03:49:19
> > Available-Modules: afsocket,afuser,tfgeoip,confgen,csvparser,
> > syslogformat,afamqp,redis,afsql,affile,afsmtp,linux-
> > kmsg-format,dbparser,system-source,cryptofuncs,basicfuncs,
> > json-plugin,afprog,afsocket-tls,afstomp,afsocket-notls,afmongodb
> > Enable-Debug: off
> > Enable-GProf: off
> > Enable-Memtrace: off
> > Enable-IPv6: on
> > Enable-Spoof-Source: on
> > Enable-TCP-Wrapper: on
> > Enable-Linux-Caps: on
> > Enable-Pcre: on
> >
> > symlink is pointing to the file that gets the logs. prior to rotation the
> > process watches correctly for the file (same inodes held by my app and
> > syslog-ng)
> >
> > lrwxrwxrwx 1 root root 56 Jun 29 08:44 node1-access.log ->
> > /x/logs/vik-test_access.log
> >
> > COMMAND     PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
> > java      11032       vikram 53w   REG    8,1     1101 1542626
> > vik-test_access.log
> > syslog-ng 21661       root    9r   REG    8,1     1101 1542626
> > vik-test_access.log
> >
> >
> > Post rotation, syslog-ng holds on to the older file (now rotated).
> >
> > COMMAND     PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
> > java      11032       vikram  53w   REG    8,1      876 1542631
> > e/elasticsearch-6.2.3/logs/vik-test_access.log
> > syslog-ng 21661       root    9r   REG    8,1     1101 1542626
> > e/elasticsearch-6.2.3/logs/vik-test_access-2018-06-30.log
> >
> > The same setup works perfectly fine in RHEL (version details below) where
> > syslog-ng follows the new file correctly.
> >
> > RHEL
> > syslog-ng 3.3.5
> > Installer-Version: 3.3.5
> > Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-
> > ng-ose--mainline--3.3--master#d5d607c05251b38e821efe27bc46ac8db78dd722
> > Compile-Date: Oct 18 2012 15:17:09
> > Default-Modules: affile,afprog,afsocket,afuser,
> > basicfuncs,csvparser,dbparser,syslogformat
> > Available-Modules: afprog,afsocket-tls,dbparser,confgen,convertfuncs,
> > basicfuncs,afsocket,afmongodb,csvparser,affile,dummy,syslogformat,afuser
> > Enable-Debug: off
> > Enable-GProf: off
> > Enable-Memtrace: off
> > Enable-IPv6: on
> > Enable-Spoof-Source: off
> > Enable-TCP-Wrapper: on
> > Enable-Linux-Caps: off
> > Enable-Pcre: on
> >
> > ____________________________________________________________
> > __________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?
> > product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> >
> > ____________________________________________________________
> > __________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?
> > product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180630/db683a38/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
>
> ------------------------------
>
> End of syslog-ng Digest, Vol 159, Issue 1
> *****************************************

More information about the syslog-ng mailing list