Bug 8003

Summary: kernel log entries lost after /etc/logrotate.d/syslog runs
Product: [Retired] Red Hat Linux Reporter: peterw
Component: sysklogdAssignee: Bill Nottingham <notting>
Status: CLOSED WORKSFORME QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: rhw, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-12-27 05:28:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description peterw 1999-12-27 00:34:57 UTC 
I added the following line to /etc/syslog.conf so that I could use ipchains to log network connection attempts:

kern.info                    /var/log/messages

However, the ipchains packet logging stops functioning every time logrotate  rotates the syslog files. I have found that I can re-enable the packet logging by running
/etc/rc.d/init.d/syslog restart
which I notice restarts klogd as well as syslogd. I suspect that /etc/logrotate.d/syslog should be modified to restart klogd (maybe just send a TSTP and then CONT signal?) in every instance where it sends a HUP to syslogd; otherwise I suspect that all kernel messages sent via klogd (not just my ipchains entries) are lost.

Thanks,

-Peter
Comment 1 peterw 1999-12-27 05:28:59 UTC 
Oops. Updated to latest sysklogd package for RH 6.1. Seems OK now.
Comment 2 Riley H Williams 1999-12-28 14:12:59 UTC 
There appears to be a slight race problem here. If my analysis is right, then
either syslogd or klogd blocks if the kernel generated an OOPS whilst the logs
are being rotated, and about five minutes of logs vanish as a result.

The problem, of course, is that the ONLY evidence of this happenning is a gap in
the logs where entries relating to syslogd restarting should occur. As a result,
it's virtually impossible to produce any examples.