logrotate strange argus behavior
Monah Baki
monahbaki at gmail.com
Fri Oct 26 07:17:37 EDT 2018
Hi Eric,
So I removed the create 0600 waited for the logrotate to run and had the
same issue. Then I specified in my command line " /usr/local/sbin/argus -m
-U 2048 -i eth3 -w /var/log/argus/argus.out -P 562" and waited for
logrotate to run, same issue.
Radium however is still running.
cat /etc/issue.net
Red Hat Enterprise Linux Server release 6.10 (Santiago)
Thanks
Monah
On Wed, Oct 24, 2018 at 11:55 AM Eric Kinzie <eric at qosient.com> wrote:
> On Wed Oct 24 10:58:46 -0400 2018, Monah Baki wrote:
> > Hi Carter,
> >
> > My argus.conf has:
> > ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
> >
> > I can also for testing purposes run the -w option from the command line,
> > what do you think?
> >
>
> > > > /var/log/argus/argus.out {
> > > > missingok
> > > > notifempty
> > > > compress
> > > > size 100M
> > > > daily
> > > > create 0600 root root
> > > > }
>
> Monah, I think that if you remove the "create 0600..." line from
> the logrotate configuration, argus.out will be recreated by argus
> and new records written to it.
>
> When logrotate creates a replacement file, the logic in argus that
> checks to see if the file has been removed is effectively bypassed.
> The original file it opened is no longer visible with "ls" because
> gzip blows it away, but the file does actually still exist until
> all file descriptors that reference it have been closed; argus
> continues writing to it.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20181026/4850c360/attachment.html>
More information about the argus
mailing list