Re: [leafnode-list] Logging Stopped; restart syslog needed

"Mike Vanecek" <leaf_list@xxxxxxxxxxxxx> writes:

>> Most syslogd implementations will close their files and reopen them 
>> as they receive SIGHUP, so chances are that either your syslog 
>> logged to a file that logrotate or newsyslog or what it's called had 
>> just deleted, so it got lost at syslogd restart (not that any 
>> process except debugfs or syslogd could have accessed it), or it has 
>> logged to newslog.1.gz, after the compressed data (to figure, try 
>> "tail newslog.1.gz").
> Nothing was logged after 1 Jul (I posted that info in the first post). The
> logging just stopped without anything being indicated in any of the
> logs.

Then logrotate has first renamed and then gzipped the log file; the
syslogd operates on a file (rather than a file name) and doesn't notice
the rename to newslog.1. gzip writes compressed data to a new file,
newslog.1.gz and deletes newslog.1: syslog logs to the deleted inode
that used to be known as newslog.1, and as syslog closes the deleted
file (that contains the log after July 1st), the kernel reclaims the
disk space and your log data is gone.

Note that zcat doesn't show you plain-text data that got appended to a
gzipped file: it just considers it trailing garbage and ignores it. Pipe
the file into less to find out.

Matthias Andree

