On 19.01.2022 13:10, Helmut Schneider via rsyslog wrote:
> Am 19.01.2022 um 12:11 schrieb Mariusz Kruk via rsyslog:
>> It's not exactly clear what you mean :-)
> [...]
>> 3. logrotate sends SIGHUP to rsyslogd as part of postrotate action
>
> If logrotate rotes a log, do I always have to reload rsyslod or only
> under some circumstances?
Well, you never "have to" ;-)
But seriously. As I wrote before - when you rotate the file, logrotate
does a simple syscall changing the link in the directory index but the
file itself (inode, contents) stays the same. And if it's open at time
of rotating the descriptors stay open and the processes that have the
file open still work on the file they had opened at the moment of
rotation. But if any process wants to open the file by the old name - it
won't find it because file _under that name_ is no longer present in the
directory. So if "old" process doesn't close/re-open the file, it will
still be writing to the old file under a new name when newly created
processes (or old processes which open the file later) will refer to a
new file.
Let's imagine a sequence of events:
1) rsyslogd starts, opens /var/log/messages for writing
2) after some time, logrotate renames the file to /var/log/messages.1
3) since no SIGHUP has been sent to rsyslogd process, it keeps the file
open but the file is named /var/log/messages.1
4) another process (for example, a user using cat/more/less in his shell
session) opens /var/log/messages
5) there is no such file as /var/log/messages
In extreme case without closing/re-opening files after enough time the
original file could get "rotated out" : /var/log/messages ->
/var/log/messages.1 -> /var/log/messages.2 -> ... up to a point when it
would reach the limit of your rotated files backlog. In this case the
file would get unlinked by the logrotate process but it would still stay
opened in the rsyslogd process! So the disk space would still be used,
rsyslogd process would still be writing to it consuming said space but
you'd have no way to open such file anymore (short of some clever tricks
with file descriptors) and check its contents because there would be no
directory entry for it anymore. Only after closing the last descriptor
pointing to this file the underlying operating system would delete the
file contents and free the inode.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow
https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.