[syslog-ng] syslog-ng not following symlinks correctly on UBUNTU, works fine in RHEL

Donatello D bluray.vik at gmail.com
Sat Jun 30 08:13:44 UTC 2018 

syslog-ng is configured to read a symlink pointing to logs generated from
my application which rotates the file using log4j2 rollingfile appender.
Everything works fine till the rotation happens. after the file get rotated
syslog-ng still seems to hold on to the older inode (which is not moved)
and doesn't change to follow the new logs. this however does not happen in
RHEL where syslog-ng recognizes the file is now rotated and moves to the
new file. In both cases the sym link is always configured to point to the
latest file. version details and logs from both OSs below.

What am i missing here?

UBUNTU -
syslog-ng 3.5.6
Installer-Version: 3.5.6
Revision: 3.5.6-2.1 [@416d315] (Ubuntu/16.04)
Compile-Date: Oct 24 2015 03:49:19
Available-Modules:
afsocket,afuser,tfgeoip,confgen,csvparser,syslogformat,afamqp,redis,afsql,affile,afsmtp,linux-kmsg-format,dbparser,system-source,cryptofuncs,basicfuncs,json-plugin,afprog,afsocket-tls,afstomp,afsocket-notls,afmongodb
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on

symlink is pointing to the file that gets the logs. prior to rotation the
process watches correctly for the file (same inodes held by my app and
syslog-ng)

lrwxrwxrwx 1 root root 56 Jun 29 08:44 node1-access.log ->
/x/logs/vik-test_access.log

COMMAND     PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
java      11032       vikram 53w   REG    8,1     1101 1542626
vik-test_access.log
syslog-ng 21661       root    9r   REG    8,1     1101 1542626
vik-test_access.log


Post rotation, syslog-ng holds on to the older file (now rotated).

COMMAND     PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
java      11032       vikram  53w   REG    8,1      876 1542631
e/elasticsearch-6.2.3/logs/vik-test_access.log
syslog-ng 21661       root    9r   REG    8,1     1101 1542626
e/elasticsearch-6.2.3/logs/vik-test_access-2018-06-30.log

The same setup works perfectly fine in RHEL (version details below) where
syslog-ng follows the new file correctly.

RHEL
syslog-ng 3.3.5
Installer-Version: 3.3.5
Revision: ssh+git://bazsi@git.balabit
//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3--master#d5d607c05251b38e821efe27bc46ac8db78dd722
Compile-Date: Oct 18 2012 15:17:09
Default-Modules:
affile,afprog,afsocket,afuser,basicfuncs,csvparser,dbparser,syslogformat
Available-Modules:
afprog,afsocket-tls,dbparser,confgen,convertfuncs,basicfuncs,afsocket,afmongodb,csvparser,affile,dummy,syslogformat,afuser
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: on
Enable-Linux-Caps: off
Enable-Pcre: on
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180630/a3400f47/attachment.html>

More information about the syslog-ng mailing list