Where will log goes during logrotate. – 肥叉烧 feichashao.com

During logroate, if there comes a log entry, where will this log entry goes? To the rotated file, lost, or to the newly created file?

It depends.

The logrotate process

In RHEL 6 (centos 6), logrotate works like below:

1. Rename the original file. For example, /var/log/messages --> /var/log/messages.1

2. Create a new file. In this example, create an empty /var/log/messages

3. Run post-rotate script. For rsyslog, it would send a HUP signal to rsyslogd.

Simulation

Let's manually simulate the logrotate of rsyslog.


# Before logrotate
[root@rhel674 ~]# lsof | grep messages
rsyslogd   1717      root    1w      REG              253,0      146     281379 /var/log/messages
     
   
# Simulate logrotate. Step1, rename file.
     
[root@rhel674 ~]# mv /var/log/messages /var/log/messages.1
[root@rhel674 ~]# lsof | grep messages
rsyslogd   1717      root    1w      REG              253,0      146     281379 /var/log/messages.1
     
     
# Right after this step, there comes a log message
[root@rhel674 ~]# logger =======
    
[root@rhel674 ~]# cat /var/log/messages.1 | grep ===
Jun 28 15:44:23 rhel674 root: =======
    
[root@rhel674 ~]# lsof | grep messages
rsyslogd   1717      root    1w      REG              253,0      184     281379 /var/log/messages.1
     
     
# Simulate logrotate. Step2, create a new file and reload rsyslog.
     
[root@rhel674 ~]# touch /var/log/messages
     
[root@rhel674 ~]# /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null`
     
[root@rhel674 ~]# lsof | grep messages
rsyslogd   1717      root    1w      REG              253,0      146     280525 /var/log/messages
     
# Then logs will go to /var/log/messages as usual.

From the above simulation, we could see after logrotate renames file, but before post-rotate is run (send HUP), logs would send to /var/log/messages.1 during this period.

After post-rotate is finished, logs would then send to /var/log/messages as usual.

Why go to /var/log/messages.1 ?

Before sending HUP to rsyslogd, why would logs go to the renamed file /var/log/messages.1?

Because in that process, the FD hasn't changed. Let's do a simple test using python:

## 1. Create an empty file.
~$ touch /tmp/test.txt

## 2. Open a interact python shell, and open the above file.
>>> f = open('/tmp/test.txt', 'w+')
>>> f.write('hehe1\n')
>>> f.flush()

## 3. We can see this FD using lsof.  (here FD=3)
~$ lsof | grep /tmp/test.txt
python    2868           feichashao    3u      REG                8,1        xxx  8391852 /tmp/test.txt
~$ cat /tmp/test.txt 
hehe1

## 4. Rename this file. (the corresponding FD still remain 3)
~$ mv /tmp/test.txt /tmp/test1.txt
~$ lsof | grep /tmp/test1.txt
python    2868           feichashao    3u      REG                8,1       xxx  8391852 /tmp/test1.txt

## 5. Append something, the string would be written to /tmp/test1.txt
>>> f.write('hehe2\n')
>>> f.flush()

~$ cat /tmp/test1.txt 
hehe1
hehe2