logrotate strange argus behavior
Eric Kinzie
eric at qosient.com
Fri Oct 26 10:19:10 EDT 2018
On Wed Oct 24 11:55:24 -0400 2018, Eric Kinzie wrote:
> On Wed Oct 24 10:58:46 -0400 2018, Monah Baki wrote:
> > Hi Carter,
> >
> > My argus.conf has:
> > ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
> >
> > I can also for testing purposes run the -w option from the command line,
> > what do you think?
> >
>
> > > > /var/log/argus/argus.out {
> > > > missingok
> > > > notifempty
> > > > compress
> > > > size 100M
> > > > daily
> > > > create 0600 root root
> > > > }
>
> Monah, I think that if you remove the "create 0600..." line from
> the logrotate configuration, argus.out will be recreated by argus
> and new records written to it.
>
> When logrotate creates a replacement file, the logic in argus that
> checks to see if the file has been removed is effectively bypassed.
> The original file it opened is no longer visible with "ls" because
> gzip blows it away, but the file does actually still exist until
> all file descriptors that reference it have been closed; argus
> continues writing to it.
Removing the "create" line was not enough. I added "nocreate" and
argus created its own replacement file and started writing records
to it. See if that helps.
More information about the argus
mailing list