hi Richard, In this context I am also curious, what would be the effect of using > --check-timeout / --poll-timeout, if the log file will be closed or remain > open during timeout... I am trying to find a way, how to use SEC in "close > after read" mode - used to use this mode in previous log event correlation > solution, because keeping log files "always open" causes described problem > with their deletion (by external archivation script) on NFS... > > From SEC manual: "Each input file is tracked both by its name and i-node, > and input file rotations are handled seamlessly. If the input file is > recreated or truncated, SEC will reopen it and process its content from the > beginning. If the input file is removed (i.e., there is just an i-node left > without a name), SEC will keep the i-node open and wait for the input file > recreation." > > Maybe it would be sufficient having an option to (immediately?) close > (re)moved file, instead of keeping original i-node open until its > recreation in its original location. > > This behavior is intentional and necessary, in order to not miss events that are written into input file. For example, consider the following situation: 1) process X is running and writing its events into a log file which is monitored by SEC 2) log rotation tool (e.g., logrotate) will delete the log file 3) log rotation tool will send a signal to process X, forcing the process to reopen the log file (this step will recreate the log file on disk) Note that after step 2 we have a situation where process X is still writing into nameless file and could log additional events that SEC needs to process. Therefore, closing the log file immediately without waiting for the appearance of new log file on disk involves the risk of missing events. That risk increases with custom log rotation scripts which might involve a larger time gap between steps 2 and 3. One could also imagine other similar scenarios like accidental removal of log file from disk, and that is the reason why SEC does not close the log file when its name disappears from directory tree.
Hope this helps, risto
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
