On Fri, Dec 13, 2019 at 03:07:56PM -0500, Greg Wooledge wrote: > On Fri, Dec 13, 2019 at 08:47:49PM +0100, mj wrote: > > > root@pf:~# ps aux | grep rsyslog > > > root 11250 0.8 3.3 872116 274200 ? Ssl 15:37 2:26 > > > /usr/sbin/rsyslogd -n > > > root 23873 0.0 0.0 12780 968 pts/0 S+ 20:25 0:00 grep > > > rsyslog > > > root@pf:~# service rsyslog stop > > > root@pf:~# ps aux | grep rsyslog > > > root 23909 0.0 0.0 12780 1020 pts/0 S+ 20:25 0:00 grep > > > rsyslog > > > > > root@pf:~# rm -f /usr/local/pf/logs/* > > > root@pf9:~# lsof | grep /usr/local/pf/logs > > > snmptrapd 23941 root 3w REG 8,1 > > > 23 67605574 /usr/local/pf/logs/snmptrapd.log > > > > and yes: the file snmptrapd.log is the exception, all other files (20, 25 of > > them) are gone, remain gone, and are not listed in lsof as open. > > So, it sounds like you want to kill snmptrapd (instead of, or in addition > to, killing rsyslogd) before you unlink these log files.
It seems that snmptrapd accepts a SIGHUP to close and re-open its output
file (if it's set up to output to a file, that is). From its man page:
-o FILE
Log formatted incoming traps to FILE. Upon receipt of a
SIGHUP, the daemon will close and re-open the log file. This
feature is useful when rotating the log file with other
utilities such as logrotate. This option is being deprecated,
and '-Lf FILE' should be used instead.
But it can be set up to log via syslog, so one just has to take
care of syslog (which also takes a SIGHUP, afaik).
Cheers
-- "if all else fails, read the instructions" tomás
signature.asc
Description: Digital signature
