[clue-admin] Logfile Problems

Jed S. Baer thag at frii.com
Mon Mar 14 23:57:16 MST 2005 

Hi Folks.

I noticed that the CLUE server logfiles weren't being rotated properly. I
still don't know why it was happening. But by observation, I deduce that
somehow, syslog wasn't switching to a new logfile, thus the original
logfiles which logrotate was renaming to progressively older version
numbers never got closed. Thus, for example, /var/log/messages.4 was the
current logfile, and messages.2 and messages.3 were empty, though I don't
know how those empty files got created if syslog wasn't closing and
reopenning it's files. Similar situation existed for .var/log/secure
/var/log/maillog /var/log/spooler /var/log/boot.log and /var/log/cron.

When trying to manually rotate the logs, using 'logrotate -f
/etc/logrotate.d/syslog' I got the following message:

  error: error running shared postrotate script for /var/log/messages
/var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log
/var/log/cron

The command in question is 'kill -HUP `cat /var/run/syslogd.pid`

Simply catting syslogd.pid works fine, and yields the correct pid.

Well, part of the issue was that logrotate wasn't finding anything to do,
since no new logfiles were being openned, i.e. all the active logs had the
".number" filenames. So I deleted the empty logfiles, and renamed the
"numbered" files back to their original names, and then reran logrotate.
This resulted in the logfiles in question disappearing. I note that the
supplied syslog rotate script has no "keep" parameter, but the default
from /etc/logrotate.conf is 4, so I'm guessing these files were all marked
for delete, but not deleted because they were open. And then, when I used
the service command to restart syslog, it openned new files, and the old
ones all went away.

So, there aren't any old logs to look at from the above list. If I forget
to look at this again in a week, maybe somebody else could look at it, or
remind me.

And, manually issuing a kill -HUP command works just fine.

So, I have no idea why logrotate is b0rked. Or, maybe it's unb0rked now.

jed
-- 
http://s88369986.onlinehome.us/freedomsight/
Key fingerprint = B027 FEFB 4281 CC72 67D1  4237 F2D0 D356 077A A30E
... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier

More information about the clue-admin mailing list