On Fri, Dec 13, 2019 at 03:07:56PM -0500, Greg Wooledge wrote:
> On Fri, Dec 13, 2019 at 08:47:49PM +0100, mj wrote:
> > > root@pf:~# ps aux | grep rsyslog
> > > root 11250 0.8 3.3 872116 274200 ? Ssl 15:37 2:26 /usr/sbin/rsyslogd -n
> > > root 23873 0.0 0.0 12780 968 pts/0 S+ 20:25 0:00 grep rsyslog
> > > root@pf:~# service rsyslog stop
> > > root@pf:~# ps aux | grep rsyslog
> > > root 23909 0.0 0.0 12780 1020 pts/0 S+ 20:25 0:00 grep rsyslog
> >
> > > root@pf:~# rm -f /usr/local/pf/logs/*
> > > root@pf9:~# lsof | grep /usr/local/pf/logs
> > > snmptrapd 23941 root 3w REG 8,1 23 67605574 /usr/local/pf/logs/snmptrapd.log
> >
> > and yes: the file snmptrapd.log is the exception, all other files (20, 25 of
> > them) are gone, remain gone, and are not listed in lsof as open.
>
> So, it sounds like you want to kill snmptrapd (instead of, or in addition
> to, killing rsyslogd) before you unlink these log files.
It seems that snmptrapd accepts a SIGHUP to close and re-open its output
file (if it's set up to output to a file, that is). From its man page:
-o FILE
Log formatted incoming traps to FILE. Upon receipt of a
SIGHUP, the daemon will close and re-open the log file. This
feature is useful when rotating the log file with other
utilities such as logrotate. This option is being deprecated,
and '-Lf FILE' should be used instead.
But it can be set up to log via syslog, so one just has to take
care of syslog (which also takes a SIGHUP, afaik).
Cheers
-- "if all else fails, read the instructions" tomás
Attachment:
signature.asc
Description: Digital signature