3

CentOS 6.2, bind 9.7.3, rsyslog 4.6.2

I recently set up a server, and I noticed that named had stopped logging to /var/log/messages after the logs had rotated. I thought that was odd, since all logging happens through rsyslog and named doesn't write directly to the log file.

It was even more odd because I had HUPed named after updating a zone file, and it still wasn't logging.

After I stopped and restarted named, logging resumed.

What's going on here? The syslog PID hasn't changed (/var/run/syslogd.pid matches the PID shown in ps). Is rsyslog opening a new socket when logrotate rotates its logs and HUPs it?

/etc/logrotate.d/syslog:

/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

And rsyslogd continues logging after the rotate -- it's just named (and possibly other services) that aren't connecting to rsyslogd correctly. Here's /var/log/messages-20120212:

Feb  5 04:45:03 linus kernel: imklog 4.6.2, log source = /proc/kmsg started.
Feb  5 04:45:03 linus rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="1178" x-info="http://www.rsyslog.com"] (re)start
Feb  9 16:16:29 linus yum[13028]: Installed: 2:vim-minimal-7.2.411-1.6.el6.i686
Feb 12 04:09:22 linus rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="1178" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'restart'.
Feb 12 04:09:22 linus kernel: Kernel logging (proc) stopped.

And I'm only running rsyslogd (which for some reason saves its PID in /var/run/syslogd.pid):

root      1178  0.0  0.1  29496  1488 ?        Sl   Jan29   0:20 /sbin/rsyslogd -i /var/run/syslogd.pid -c 4
root      5960  0.0  0.0   2300   504 pts/0    S+   17:45   0:00 grep syslog
tomlogic
  • 330
  • 3
  • 13

2 Answers2

2

I suppose you're using chrooted bind. You have to add this line to the rsyslog.conf:

$AddUnixListenSocket /var/named/chroot/dev/log

Make sure you use right path to the chrooted dev on your system.

Luf

Ludek Finstrle
  • 36
  • 3
  • Hey, this look like it might just work. I've made the change and will check next Sunday to see if it works. I have confirmed that it's creating that file, so it seems like it will be the correct solution. If it's working, I'll accept your answer for sure. – tomlogic Jun 05 '12 at 13:02
  • Awesome. Just checked my logs and this has fixed my problem. – tomlogic Jun 10 '12 at 17:35
1

Rotation changed file's inode, thus Rsyslog was trying to append to old inode. To solve the problem, change the logrotate configuration to copy the current file, and then truncate it at rotation time.

mdpc
  • 11,856
  • 28
  • 53
  • 67
Nikolaidis Fotis
  • 2,032
  • 11
  • 13
  • Nope. I've updated the question with one of the rolled logs showing rsyslogd writing to the log file just fine. It's some problem between `bind` and `rsyslogd`. – tomlogic Feb 15 '12 at 00:34
  • hmmm. Could you execute ps aux | grep syslog ? It seems a bit strange. In my distro I have /var/run/rsyslog.pid instead of /var/run/syslog.pid (you should run either rsyslog or syslog, not both) – Nikolaidis Fotis Feb 15 '12 at 23:21
  • Nope, only running rsyslog (but it's using syslog.pid as its PID file). Updated question with output of `ps aux | grep syslog`. – tomlogic Feb 16 '12 at 00:48