[CentOS] secure file not updating

Mon Dec 15 01:47:36 UTC 2008
Filipe Brandenburger <filbranden at gmail.com>

Hi,

On Sun, Dec 14, 2008 at 15:26, Mike -- EMAIL IGNORED
<m_d_berger_1900 at yahoo.com> wrote:
> If I do a vi on the secure file and write it from vi, it stops recording.

Yes, that's the expected behaviour, because "vi" will actually write a
new file and rename it to /var/log/secure, so syslog will no longer be
writing to that file.

The file syslog is now writing to is not accessible on the filesystem
(unless you created a hardlink to it before), but other processes that
had it open before you saved it with "vi" will continue using the old
one.

> If I do a "/var/init.d/syslog restart", the secure file starts recording.

Yes, because syslog will open the new file again, by it's name, now
it's the file "vi" wrote. Actually, when you stop syslog (and all
other processes that had the old file open) it will be effectively
deleted, but not before that.

> I still have no idea how swatch continues to function after the syslog
> stops recording.

I'm not familiar with swatch, so I cannot say how it interacts with
files that are written/renamed as you described with "vi".

If it's a "daemon" that is running on background all the time, chances
are it will keep the file open (although not necessarily), so in this
case it will "see" the new entries from syslog. If it's run from cron
at fixed intervals, it will open the file every time it runs, so
chances are if you rewrite the file with "vi" it will no longer see
the new entries from syslog.

In any case, opening a logfile with "vi" is a bad idea, you should use
a more appropriate tool such as "less", or if you really want to use
"vi" commands, use "vi -R" or "view" for read-only mode.

HTH,
Filipe