In message <[email protected]>,
Michael Andrus writes:
>On Thu, Feb 26, 2009 at 6:04 PM, John P. Rouillard <[email protected]>wrote:
>> What does a state dump (send kill -USR1 to the sec process) show for
>> the lines in the buffer?
>
>When I try this with '-input /var/log/secure' only, the 'last 10 input
>lines' in sec.dump do not include the lines in question. It is as though
>they aren't in the log.
>
>When I try this while including '-input /tmp/sec' and 'tail -f
>/var/log/secure > /tmpsec', I see the lines in question appear in the 'last
>10 input lines' in sec.dump.
The dump file also records the last 10 input sources:. I assume when
the 10 lines show up they are all from /tmp/sec? Does /var/log/secure
ever show up in the last 10 input sources?
>Any ideas on this?
/var/log/secure is a real file right? Not configured as a pipe (as I
noticed you set up later and got working correctly hense solving this
problem). I have seen this with multiple readers from a pipe. Only the
first/fastest reader gets data and the other readers are starved.
Also the dump output will include lines like:
Input sources:
============================================================
/var/spool/nagios/event_stream (status: Open, received data: 34090392 lines,
context: _FILE_EVENT_/var/spool/nagios/event_stream)
/var/log/nagios/nagios.log (status: Open, received data: 2287193 lines,
context: NAG_LOG)
/var/spool/nagios/sec.cmd (status: Open, received data: 0 lines, context:
CONTROL)
What is the status of /var/log/secure? The only thing I can think of
is that sec is unable to read the file, or it pulls an error and
doesn't reopen the file.
Had this problem with a log rotator that was setting permissions
incorrectly on a file sec was trying to read resulting in SEC being
locked out of the file occasionally. So I let SEC do the log rotation.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
