On Sun, 14 Dec 2008 20:47:36 -0500, Filipe Brandenburger wrote:
Hi,
On Sun, Dec 14, 2008 at 15:26, Mike -- EMAIL IGNORED m_d_berger_1900@yahoo.com wrote:
If I do a vi on the secure file and write it from vi, it stops recording.
Yes, that's the expected behaviour, because "vi" will actually write a new file and rename it to /var/log/secure, so syslog will no longer be writing to that file.
The file syslog is now writing to is not accessible on the filesystem (unless you created a hardlink to it before), but other processes that had it open before you saved it with "vi" will continue using the old one.
If I do a "/var/init.d/syslog restart", the secure file starts recording.
Yes, because syslog will open the new file again, by it's name, now it's the file "vi" wrote. Actually, when you stop syslog (and all other processes that had the old file open) it will be effectively deleted, but not before that.
I still have no idea how swatch continues to function after the syslog stops recording.
I'm not familiar with swatch, so I cannot say how it interacts with files that are written/renamed as you described with "vi".
If it's a "daemon" that is running on background all the time, chances are it will keep the file open (although not necessarily), so in this case it will "see" the new entries from syslog. If it's run from cron at fixed intervals, it will open the file every time it runs, so chances are if you rewrite the file with "vi" it will no longer see the new entries from syslog.
In any case, opening a logfile with "vi" is a bad idea, you should use a more appropriate tool such as "less", or if you really want to use "vi" commands, use "vi -R" or "view" for read-only mode.
HTH, Filipe
Very interesting analysis. swatch uses tail -f, or something that mimics it to watch the file. I would then guess that as per your explanation, swatch contilues to watch the "old file".
Mike.