use postrotate to send a HUP to rsyslog so it closes the file and reopens it
truncting a log file creates a race condition that will cause you to lose logs
at some point.
David Lang
On Tue, 31 Aug 2021, John Chivian via rsyslog wrote:
Date: Tue, 31 Aug 2021 21:59:58 -0500
From: John Chivian via rsyslog <[email protected]>
To: rsyslog-users <[email protected]>
Cc: John Chivian <[email protected]>
Subject: Re: [rsyslog] imfile-state file not returning to zero after logrotate
I believe the correct thing to do is use prerotate to stop and then start
rsyslog. This forces rsyslog to update and record the state file on exit, and
then sanity check it on startup. Then, do exactly the same thing with
postrotate. This again forces rsyslog to update and record the state file, and
then sanity check on startup. My understanding is that a HUP is not sufficient
because it is not guaranteed to refresh state files, hence the hard stop and
restart. The maintainers should be able to say with more certainty.
At my current place we do log file cleanup manually, without logrotate, partly
for this reason so I can’t state for certain if this will work, but in a
previous environment we did have rsyslog and logrotate tied in this manner and
nobody complained about lost data.
Regards,
On Aug 31, 2021, at 21:07, S&A Hullick via rsyslog <[email protected]>
wrote:
Hi,
I have rsyslog set up to forward logs to a separate log repository on another
server and have some files that stop forwarding after log rotate.
My issue is that the log file itself is copied to a separate file and then
emptied (truncated). Then, of course, rsyslog doesn't forward until the size
of the log file reaches the number in the imfile-state file.
Can someone please suggest a setup where the state file will be zeroed. My
current configs for rsyslog and logrotate are as follows:
rsyslog:
rsyslogd: version 8.24.0-41.el7_7.2, config validation run (level 1), master
config /etc/rsyslog.conf
$InputFileName /var/log/httpd/access.log
$InputFileTag httpd_access:
$InputFileStateFile stats-httpd_access
$InputFileFacility local6
$InputRunFileMonitor
Logrotate (daily cycle):
"/var/log/httpd/access.log" {
weekly
create 640 root root
missingok
notifempty
sharedscripts
delaycompress
postrotate
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
endscript
}
at present, after logrotate, I need to stop the rsyslogd, manually zero the
imfile-state file and restart rsyslogd. The log file will then start being
forwarded to the log server.
Kind regards,
Andrew.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
