[TriLUG] log rotation wierdness

Aaron S. Joyner aaron at joyner.ws
Mon Jan 9 02:32:48 EST 2006 

As an educational clarification of what Tanner is describing, for those
who may not be familiar with Unix internals, it goes something like
this.  When a process opens a file, it does so by requesting a file
descriptor (aka file handle) for that file.  The file descriptor is
returned when the program runs one of the open() series of system calls
(ala open, fopen, popen, etc - see `man 2 open`), on a given filename. 
For example, syslogd might (1) call msgs = open('/var/log/messages');
and be returned file descriptor 4 (it will get the lowest available file
descriptor for that process, in the case of our sample/psuedo code it
then stores than in the msgs variable for future use).  That file
descriptor is then used to write to and from that file, and it
specifically is connected to an inode, not a file name.  So when a
change is made to the filesystem (such as logrotate does when it moves
the file and creates a new one), the syslog daemon needs to be told to
close it's existing file descriptor and reopen it based on the new entry
in the file system, which now points to a different inode.

Hopefully someone finds the above useful and educational.  :)
Aaron S. Joyner

1 - For the sake of being complete, the code that follows this note in
the context above is simplified to emphasize the point.  The actual code
from the latest version (1.4.1) of sysklogd (the usual default syslog
daemon) is found in syslogd.c, line 2684:
f->f_file = open(p, O_WRONLY|O_APPEND|O_CREAT|O_NOCTTY|O_NONBLOCK,0644);

The code from the latest version of syslog-ng (1.6.9), in case you
prefer it to syslog, is decidedly more abstract and compartmentalized. 
You can find the actual open call (which is used for virtually all types
of open()s the program does) in the function do_open_file() in affile.c
on line 128. It goes something like this:
*fd = open((char *) name->data, flags, mode != -1 ? mode : 0600);


Tanner Lovelace wrote:

>It looks like logrotate is rotating the files after it sends a HUP signal
>to syslog (to tell it to restart with a new file).  It should rotate the files
>first and then send it a HUP signal to get it to start writing to the
>messages file.
>
>Or, it could be something completely different. :-/
>
>Cheers,
>Tanner
>
>On 1/8/06, Christopher L Merrill <chris at webperformance.com> wrote:
>  
>
>>Anyone heard of a bug or mis-configuration that causes most log files to be
>>written to <logname>.1 instead of <logname>?
>>
>>For instance, our /var/log/messages never has anything in it.  Today it looks
>>like:
>> > -rw-------  1 root  root           0 Jan  8 04:04 messages
>> > -rw-------  1 root  root     3060527 Jan  8 18:35 messages.1
>> > -rw-------  1 root  root      593454 Jan  1 22:50 messages.2
>>The most recent messages are always in /var/log/messages.1
>>
>>The system is CentOS 4.
>>
>>TIA,
>>C
>>
>>
>>--
>>-------------------------------------------------------------------------
>>Chris Merrill                  |  http://www.webperformance.com
>>Web Performance Inc.
>>
>>Website Load Testing and Stress Testing Software
>>-------------------------------------------------------------------------
>>--
>>TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>>TriLUG Organizational FAQ  : http://trilug.org/faq/
>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>
>>    
>>
>
>
>--
>Tanner Lovelace
>clubjuggler at gmail dot com
>http://wtl.wayfarer.org/
>(fieldless) In fess two roundels in pale, a billet fesswise and an
>increscent, all sable.
>  
>

More information about the TriLUG mailing list