Abigail, I am using logrotate. Tomcat just renamed the currently log file (catalina.out.1) or (catalina.out.2.gz) etc. I will verify the inode now.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Abby Edwards Sent: Friday, June 22, 2012 11:39 AM To: rsyslog-users Subject: Re: [rsyslog] imfile / rotating logs Hmm, by any chance are you sending a HUP signal after the rotate happens? The HUP should be closing and reopening the file handle, so maybe it's an easy thing and the HUP isn't being sent for some reason. Another thing to look for, the 89410 before /var/log/tomcat6/catalina.out should be the inode for the file in the system. You could compare the inode listed by lsof to the inode listed by running stat /var/log/tomcat6/catalina.out after log rotation. Basically, I'm theorizing your tomcat instance is deleting catalina.out without moving it, which wouldn't change your filename in the lsof output. I guess a simpler question to start would be, how are you / what process are you using to rotate the log? Abigail Edwards | Phone: 402.361.3064 | Cell: 402.813.7044 | Fax: 402.361.3164 | Solutionary | Relevant . Intelligent . Security On 6/22/12 11:17 AM, "James, Jason" <[email protected]> wrote: >Abigail, > >No, the only reference I see is what should be showing rsyslogd 30730 > syslog 1r REG 251,1 2502 89410 >/var/log/tomcat6/catalina.out >The same behavior occurs with any log file that gets rotated out. No >"errors" in the debug log other than it's not seeing any changes (0 bytes >being read)... > >1708.206246072:7f74b9cc7700: stream checking for file change on >'/var/log/tomcat6/catalina.out', inode 8130/8130file 13 read 0 bytes >1708.206257137:7f74b9cc7700: stream checking for file change on >'/var/log/apache2/error.log', inode 89440/89440file 12 read 0 bytes >1718.215980512:7f74b9cc7700: stream checking for file change on >'/var/log/tomcat6/catalina.out', inode 8130/8130file 13 read 0 bytes >1718.215992603:7f74b9cc7700: stream checking for file change on >'/var/log/apache2/error.log', inode 89440/89440file 12 read 0 bytes >1728.226099139:7f74b9cc7700: stream checking for file change on >'/var/log/tomcat6/catalina.out', inode 8130/8130file 13 read 0 bytes >1728.226110824:7f74b9cc7700: stream checking for file change on >'/var/log/apache2/error.log', inode 89440/89440 > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of Abby Edwards >Sent: Friday, June 22, 2012 10:53 AM >To: rsyslog-users >Subject: Re: [rsyslog] imfile / rotating logs > >I've encountered something similar on an older version (5.8.8), but it was >on output, not input. In my case, /var/log/messages would stop being >written to after logrotate moved it and sent a HUP to rsyslogd. I >reviewed the output of lsof and saw rsyslogd was holding onto open file >handles to the rotated messages file (logrotate moved messages to >messages.1 before running gzip against it). What was interesting was if I >let this run for a couple of days, the file handles to messages.1 from the >first day stayed open, and other file handles had messages.1 from the day >after, and yet other handles were for /var/log/messages. I haven't been >able to reproduce this in short tests though. > >Do you see similar stale / open file handles referencing the rotated input >file opened by rsyslogd? > >Abigail Edwards | Phone: 402.361.3064 | Cell: 402.813.7044 | Fax: >402.361.3164 | Solutionary | Relevant . Intelligent . Security > > > > > >On 6/22/12 10:28 AM, "James, Jason" <[email protected]> wrote: > >>Hello, >>It appears that imfile will stop parsing/getting data from log files that >>are rotated out. Is this a bug? Is there a directive I am missing? Even >>after restarting rsyslog is will no longer pull data from the new log >>file unless I remove the input state file. >> >> >>rsyslog 5.8.12-stable >> >>-----Original Message----- >>From: [email protected] >>[mailto:[email protected]] On Behalf Of Thomas Lau >>Sent: Thursday, June 21, 2012 10:54 PM >>To: rsyslog-users >>Subject: Re: [rsyslog] severity discard >> >>David, I just want to put 0 - 5 severity log into mysql DB, 6-7 discard. >>What's the right method to do that ? >> >>Thomas Lau >>Senior Technology Analyst >>Principle One Limited >>27/F Kinwick Centre, 32 Hollywood Road, Central, Hong Kong >>T +852 3555 2217 F +852 3555 2222 M +852 9880 1217 >>Hong Kong . Singapore . Tokyo >> >> >>-----Original Message----- >>From: [email protected] >>[mailto:[email protected]] On Behalf Of [email protected] >>Sent: Friday, June 22, 2012 11:46 AM >>To: rsyslog-users >>Subject: Re: [rsyslog] severity discard >> >>no, your line gives two destinations. >> >>~ says to discard any message that matches the filter. >> >>you then put the lines to do something with the logs after that. >> >>there may be better ways to get what you are wanting, but you haven't >>explained your entire logic. >> >>David Lang >> >>On Fri, 22 Jun 2012, Thomas Lau wrote: >> >>> Date: Fri, 22 Jun 2012 09:30:17 +0800 >>> From: Thomas Lau <[email protected]> >>> Reply-To: rsyslog-users <[email protected]> >>> To: rsyslog-users <[email protected]> >>> Subject: Re: [rsyslog] severity discard >>> >>> *.info;*.debug ~ :ommysql >>> >>> Like that ? >>> >>> Thomas Lau >>> Senior Technology Analyst >>> Principle One Limited >>> 27/F Kinwick Centre, 32 Hollywood Road, Central, Hong Kong T +852 >>> 3555 2217 F +852 3555 2222 M +852 9880 1217 Hong Kong . >>> Singapore . Tokyo >>> >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of [email protected] >>> Sent: Friday, June 22, 2012 9:18 AM >>> To: rsyslog-users >>> Subject: Re: [rsyslog] severity discard >>> >>> this should work >>> >>> *.debug,*.info ~ >>> >>> David Lang >>> >>> On Fri, 22 Jun 2012, Thomas Lau wrote: >>> >>>> Date: Fri, 22 Jun 2012 08:56:05 +0800 >>>> From: Thomas Lau <[email protected]> >>>> Reply-To: rsyslog-users <[email protected]> >>>> To: "[email protected]" <[email protected]> >>>> Subject: [rsyslog] severity discard >>>> >>>> Dear All, >>>> >>>> Does anyone know how could I discard severity from 6 -7? >>>> >>>> 0 Emergency: system is unusable >>>> 1 Alert: action must be taken immediately >>>> 2 Critical: critical conditions >>>> 3 Error: error conditions >>>> 4 Warning: warning conditions >>>> 5 Notice: normal but significant condition >>>> 6 Informational: informational messages >>>> 7 Debug: debug-level messages >>>> >>>> >>>> Thomas Lau >>>> Senior Technology Analyst >>>> Principle One Limited >>>> 27/F Kinwick Centre, 32 Hollywood Road, Central, Hong Kong >>>> T +852 3555 2217 F +852 3555 2222 M +852 9880 1217 >>>> Hong Kong . Singapore . Tokyo >>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> >>_______________________________________________ >>rsyslog mailing list >>http://lists.adiscon.net/mailman/listinfo/rsyslog >>http://www.rsyslog.com/professional-services/ >>What's up with rsyslog? Follow https://twitter.com/rgerhards >>_______________________________________________ >>rsyslog mailing list >>http://lists.adiscon.net/mailman/listinfo/rsyslog >>http://www.rsyslog.com/professional-services/ >>What's up with rsyslog? Follow https://twitter.com/rgerhards > >_______________________________________________ >rsyslog mailing list >http://lists.adiscon.net/mailman/listinfo/rsyslog >http://www.rsyslog.com/professional-services/ >What's up with rsyslog? Follow https://twitter.com/rgerhards >_______________________________________________ >rsyslog mailing list >http://lists.adiscon.net/mailman/listinfo/rsyslog >http://www.rsyslog.com/professional-services/ >What's up with rsyslog? Follow https://twitter.com/rgerhards _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
