About newsyslog behavior

Jim Xochellis dxoch at escape.gr
Tue Jul 8 02:27:51 PDT 2003 

Hi Garance, Hi list,

I spend some time thinking about all this newsyslog stuff and I am 
starting to feel that maybe I am making too much noise for minor 
problems. After all disk space is very cheap and turning over the logs 
is not something that we have to do very often. In many cases we can 
even do it by hand! Nevertheless, I will try to explain my thoughts in 
a better way this time.

On Friday, July 4, 2003, at 12:44 AM, Garance A Drosihn wrote:

> At 12:08 PM +0300 7/2/03, Jim Xochellis wrote:
>

[...]

>> I have confirmed that newsyslog actually creates a new
>> log file (instead of copying it and then disposing its
>> contents) by reading the source of the newsyslog.c file
>
> Yes, and that doen because it is the safest and most
> reliable way for it to rotate a logfile without any
> hitting any race-conditions.

In fact newsyslog works OK when the process that creates the log is not 
a server for other users / computers and reacts correctly to SIGHUP. I 
have use it my self to turn over the log of "ipmon" (IPF firewall) and 
everything works great. But sending SIGHUP to a file server (or to an 
other kind of server perhaps) is something that I want to avoid even if 
SIGHUP re-opens correctly the logs. AFAIK when a file server (i.e. 
Netatalk) receives an SIGHUP it closes (gracefully I admit) the 
connections to its clients. And this happens just because log file is 
turned over by newsyslog! (too much IMHO)
One possible way to reduce these side-effects is to schedule newsyslog 
to turn over the logs after midnight and avoid rush hours (I am doing 
that at the moment). This is a practical solution that really helps but 
its also incomplete. I realize that I am not talking about a major 
problem here. But I am proposing a solution (to a non major problem) 
that is very easy to implement.

See bellow about the possibility to have race-conditions in a server 
with many processes.

[...]

>
>> Isn't it feasible to dispose the contents of the old log
>> file instead of creating a new one?  Anything that I am
>> missing here? (giving the fact that I am not a unix guru,
>> only a C programmer)
>
> If the program does not have some way to REALLY re-open the
> log file, then the file-pointer might also be pointing to a
> specific point in the file.  Let's say it is at byte 125000
> into the file.  You empty the file.  The next time the
> program writes to the log file, it will write to byte 125001
> (depending on how the program is written).  Some programs
> may work with this strategy, but others will not.
>

I admit that disposing the contents of the old log file instead of 
creating a new one could be dangerous in some cases and should NOT be 
the default behavior of newsyslog. I am talking about a per-file basis 
option and nothing more. I believe that this option can be both useful 
and harmless when used with most servers.

Useful: Because we should always try our best not to interrupt the 
server-client connection (Which actually happens when sending SIGHUP)

Harmless: Because I am talking about typical serves (Netatalk, samba, 
apache...) that are using many processes which are all writing in the 
same log file. In these cases we should not expect any race-conditions 
in the log files because the servers have already solved these problems 
in order to implement logging for their own processes. (OK there is 
still a case (in theory) that the processes are handling the logging 
via interprocess communication instead of re-opening / flushing the 
logs files locally. IMHO this would be impractical and is not really 
possible to have such a case in a real world situation! Am I right 
here?)

[...]

Best Regards
Jim Xochellis

More information about the freebsd-questions mailing list