Rsyslog: omfile will loss log when the file is removed, unless restart rsyslogd .
Expected behavior
when my log file is removed by someone, rsyslog will create the log file, continue writing logs to it.
Actual behavior
no log file is created, so logs is loss.
Steps to reproduce the behavior
first, config is easy, as follow:
local6.* /tmp/testlocal6
secondly, use logger write a log to rsyslog, the file /tmp/testlocal6 is created, then rm /tmp/testlocal6
then, the log file will not be recoverd.
Environment
- rsyslog version: rsyslogd 8.40.0, compiled with:
PLATFORM: x86_64-unknown-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Number of Bits in RainerScript integers: 64
See https://www.rsyslog.com for more information.
- platform: Centos 7
- for configuration questions/issues, include rsyslog.conf and included config files
danncy
All 8 comments
this is not a bug, but the way Linux works. When you delete a file, rsyslog can continue to write to the file. To make it aware you want to start a new file, you need to send rsyslog a HUP.
rgerhards
on 21 Aug 2019
DBGPRINTF("strmPhysWrite, stream %p, len %u\n", pThis, (unsigned)lenBuf);</br>
if(pThis->fd == -1)
CHKiRet(strmOpenFile(pThis));
but I test this case in my machine, it not works. I don't send a HUP.
I think the code in stream.c can add a robust check, if the file not exists, reopen is needed.
danncy
on 21 Aug 2019
I don't send a HUP.
That's the problem. You need on a *nix system like Linux.
I think the code in stream.c can add a robust check, if the file not exists, reopen is needed.
This is nothing to go into the mainstream release. Feel free to craft a change and apply it locally. But the behavior you describe is excpected and as-designed for over 30 yrs now. You are simply doing it wrong.
rgerhards
on 21 Aug 2019
I understand, rsyslog is great. It solved my problem with datacenter's log collection.
I will add it locally, thanks
danncy
on 21 Aug 2019
in the strmPhysWrite method, I added:
if (pThis->fd != -1 && stat((char*)pThis->pszCurrFName, &statOpen) == -1) {
CHKiRet(strmCloseFile(pThis));
CHKiRet(strmOpenFile(pThis));
}
After I wrote code as above, Is there something not considered?
Why don't you do that, for performance or something else?
Please help to answer the question, thank you very much.
danncy
on 21 Aug 2019
Why don't you do that, for performance or something else?
costs a bit of performance. main reason is that it introduces unexpected behavior for sysadmins
rgerhards
on 21 Aug 2019
the fact that a file remains and can be accessed by anything that has it open,
even after all links to it are removed from the filesystem is surprising
behavior to new admins, but it's something *nix has done for decades.
it seems odd, but it has actually ended up being a feature. When the last user
of the file exits (including on reboots) the file goes away. This is commonly
done on temporary files that a program needs to use while it's running, but
wants to make sure do not stay around, even if the program crashes.
I undertand your frustration with this feature of *nix (every sysadmin gets
caught by this at some point), but it's something that if we changed, could
break existing systems, and that's something we just don't do.
David Lang
davidelang
on 21 Aug 2019
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 24 Dec 2019
Related issues
selivan
·
7Comments
yfliuyanyan
·
4Comments
bbailey1024
·
3Comments
shannider
·
4Comments
ysfduzgun
·
5Comments