On Dec 13, 2009, at 1:41 PM, G.W. Haywood wrote:
> FWIW I use logrotate for just about everything that logs, with almost
> no trouble. I did recently have to upgrade from a very old version of
> logrotate on a very old Red Hat system, but I can't remember now what
> exactly it was doing (or not doing) that I didn't like. Something to
> do with messing up when I had complex command lines in the logrotate
> scripts themselves. What version of logrotate are you using?
Version 3.7.4, apparently. The version that ships with the latest RHEL 5.4
release.
> Incidentally I use syslog-ng for just about all logging, and I can't
> recommend it highly enough.
syslog-ng is on my list of things to look into .. Unfortunately, my list is ..
well.. large. :)
> I wonder if this 'reload' isn't doing quite what you think it's doing?
> Actually I don't think I understand the term 'reloading a log file'.
> (OTOH I do think I understand the terms 'reloading a database' and
> 'reopening a log file'. :) You haven't given us enough information to
> know what exactly is going on in this case. For example I'm assuming
> that you want clamd to write to the log file directly (as opposed to
> using the syslog facilities) but you could confirm that by letting us
> have sight of your clamd.conf and the command line which starts clamd.
> You can probably get the latter from 'ps'.
>From what I'm seeing, the init script merely sends a sighup to the process.
>The exact code is here :
reload() {
echo -n $"Reloading log file: "
killproc clamd -SIGHUP
RETVAL=$?
echo
return $RETVAL
}
As for clamd, the config (minus comments, whitespace, etc) is as follows :
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
MaxDirectoryRecursion 15
User clamav
AllowSupplementaryGroups no
ScanPE yes
ScanOLE2 yes
ScanMail yes
ScanHTML yes
ScanArchive yes
MaxFileSize 10M
MaxRecursion 5
MaxFiles 1000
So yes, I have clam writing directly to a log file, which I then want to rotate
on a regular basis.
> If you mean 'reload' as in 'give the reload command to clamd' then I
> think you're doing nothing that will tell clamd to close and reopen
> its log file. See the 'man' page for clamd.
The exact command is :
sudo /sbin/service clamd reload
Per the clamav docs (http://www.clamav.net/doc/latest/html/node26.html) :
Clamd can handle the following signals:
• SIGTERM - perform a clean exit
• SIGHUP - reopen the log file
• SIGUSR2 - reload the database
So a SIGHUP should cause the logfile to be re-opened. If i understand
correctly, if the logfile is moved, the file handles follow. However, a sighup
should cause the new logfile to be used, assuming it has the same
name/permissions as the original.
> Why not just make that something like 'restart' instead of 'reload'?
> Alternatively you might want to try something like
Restart is a possible path, though it takes longer than a reload, thus impeding
my scanning. I'm not opposed to it, I just want to make sure it's the correct
path before I head there. It seems that SIGHUP should do the job, but it's not.
> 73,
> Ged.
Thanks...
BTW.. 73? What's the significance?
--
Jason 'XenoPhage' Frisvold
xenopha...@gmail.com
http://blog.godshell.com
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
