logrotate strange argus behavior
Eric Kinzie
eric at qosient.com
Fri Oct 26 07:31:28 EDT 2018
On October 26, 2018 7:17:37 AM EDT, Monah Baki <monahbaki at gmail.com> wrote:
>Hi Eric,
>
>So I removed the create 0600 waited for the logrotate to run and had
>the
>same issue. Then I specified in my command line " /usr/local/sbin/argus
>-m
>-U 2048 -i eth3 -w /var/log/argus/argus.out -P 562" and waited for
>logrotate to run, same issue.
>Radium however is still running.
>
>cat /etc/issue.net
>Red Hat Enterprise Linux Server release 6.10 (Santiago)
>
>Thanks
>Monah
>
>
>On Wed, Oct 24, 2018 at 11:55 AM Eric Kinzie <eric at qosient.com> wrote:
>
>> On Wed Oct 24 10:58:46 -0400 2018, Monah Baki wrote:
>> > Hi Carter,
>> >
>> > My argus.conf has:
>> > ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
>> >
>> > I can also for testing purposes run the -w option from the command
>line,
>> > what do you think?
>> >
>>
>> > > > /var/log/argus/argus.out {
>> > > > missingok
>> > > > notifempty
>> > > > compress
>> > > > size 100M
>> > > > daily
>> > > > create 0600 root root
>> > > > }
>>
>> Monah, I think that if you remove the "create 0600..." line from
>> the logrotate configuration, argus.out will be recreated by argus
>> and new records written to it.
>>
>> When logrotate creates a replacement file, the logic in argus that
>> checks to see if the file has been removed is effectively bypassed.
>> The original file it opened is no longer visible with "ls" because
>> gzip blows it away, but the file does actually still exist until
>> all file descriptors that reference it have been closed; argus
>> continues writing to it.
>>
I would suggest restarting Argus if you didn't already, to ensure that it doesn't still have an old file descriptor open. It might also be a good idea to temporarily set the rotate interval to something short to see if the change helps. In any event, I'll take a look at this again today.
More information about the argus
mailing list