How does one manually rotate log without logrotate on open/live file

logginglogrotatesyslog

My Google-Fu is getting me so close but just not quite there, and I guess I'm too green in Linux to put the pieces together.

I have a very large >200GB log file, still being written to. Logrotate wont get to it in time before disk space could be a concern. Also, I don't want to fire off another round of logrotate, because I don't want it to effect all the other targets in its config. I have added the new stanza in my logrotate.conf file as such:

/log/myDevice/myDevice.log {
  compress
  daily
  rotate 360
  maxage 360
  missingok
  compresscmd /usr/bin/xz
  dateext
  compressext .xz
  copytruncate
  olddir /log/archive/myDevice
}

I would like to do these things manually:

copytruncate : to grab off the current log file, but allow syslog-ng to keep chugging along on the current open/live file
(not above in the logrotate.conf) split : to break up the current log roll into smaller chunks
xz : compress over to archive folder

I can split(1) and xz(1) just fine, but when I try to grab off the target file, no dice.

I tried sudo mv myDevice.log ZmyDevice.log && touch myDevice.log, but syslog-ng just moves with the original file (and its new name) and keeps writes merrily away. Which made a bit of since when I thought about how the file is being referenced by syslog-ng.

So I'm trying to figure out how to do some sort of a manual copytruncate in order to cut the file to another one "in place" as it were, and let syslog-ng keep chugging away at what it wants.

Best Answer

Move the file, then send a SIGHUP to the syslog-ng process:

kill -HUP

which will cause it to re-open all it's open files, thus releasing the file you just moved/renamed and allowing you to carry on. It'll then open /log/myDevice/myDevice.log fresh and start writing to that.

Related Solutions

Linux – logrotate does not compress /var/log/messages

Adding delaycompress to the configuration section for /var/log/messages solved the problem.

From man logrotate:

   delaycompress
          Postpone  compression of the previous log file to the next rota‐
          tion cycle.  This only has effect when used in combination  with
          compress.   It  can  be used when some program cannot be told to
          close its logfile and thus might continue writing to the  previ‐
          ous log file for some time.

I guess sysklogd, my syslog daemon, cannot be told to close its logfile, and thus this is necessary.

Interestingly, the original configuration I had (without the delaycompress directive), came straight out of man logrotate (except I changed weekly to daily):

   # sample logrotate configuration file
   compress

   /var/log/messages {
       rotate 5
       weekly
       postrotate
           /usr/bin/killall -HUP syslogd
       endscript
   }

Linux – Logrotate Successful, original file goes back to original size

This is probably because even though you truncate the file, the process writing to the file will continue writing at whichever offset it were at last. So what's happening is that logrotate truncates the file, size is zero, process writes to the file again, continuing at the offset it left off, and you now have a file with NULL-bytes up to the point where you truncated it plus the new entries written to the log.

od -c after truncate + sudden growth, generated output along the lines of:

0000000  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
*
33255657600  \0   C   K   B   -   s   e   r   v   e   r       [   h   t   t
33255657620 <more log output>

What this says is from offset 0 to 33255657600 your file consists of null bytes, and then some legible data. Getting to this state doesn't take the same amount of time it would take to actually write all those null-bytes. The ext{2,3,4} filesystems support something called sparse files, so if you seek past a region of a file that doesn't contain anything, that region will be assumed to contain null-bytes and won't take up space on disk. Those null bytes won't actually be written, just assumed to be there, hence the time it takes to go to 0 to 3.5GB don't take a lot of time to. (You can test the amount of time it takes by doing something like dd if=${HOME}/.bashrc of=largefile.bin seek=3432343264 bs=1, this should generate a file of over 3GB in a few milliseconds).

If you run ls -ls on your logfiles after they've been truncated and had a sudden growth again, it should now report a number at the beginning of the line which represents the actual size (in blocks occupied on disk), which probably is orders of magnitude smaller than the size reported by just ls -l.

Best Answer

Related Solutions

Linux – logrotate does not compress /var/log/messages

Linux – Logrotate Successful, original file goes back to original size

Related Topic