On Sun, 14 Dec 2008 20:47:36 -0500, Filipe Brandenburger wrote: > Hi, > > On Sun, Dec 14, 2008 at 15:26, Mike -- EMAIL IGNORED > <m_d_berger_1900 at yahoo.com> wrote: >> If I do a vi on the secure file and write it from vi, it stops >> recording. > > Yes, that's the expected behaviour, because "vi" will actually write a > new file and rename it to /var/log/secure, so syslog will no longer be > writing to that file. > > The file syslog is now writing to is not accessible on the filesystem > (unless you created a hardlink to it before), but other processes that > had it open before you saved it with "vi" will continue using the old > one. > >> If I do a "/var/init.d/syslog restart", the secure file starts >> recording. > > Yes, because syslog will open the new file again, by it's name, now it's > the file "vi" wrote. Actually, when you stop syslog (and all other > processes that had the old file open) it will be effectively deleted, > but not before that. > >> I still have no idea how swatch continues to function after the syslog >> stops recording. > > I'm not familiar with swatch, so I cannot say how it interacts with > files that are written/renamed as you described with "vi". > > If it's a "daemon" that is running on background all the time, chances > are it will keep the file open (although not necessarily), so in this > case it will "see" the new entries from syslog. If it's run from cron at > fixed intervals, it will open the file every time it runs, so chances > are if you rewrite the file with "vi" it will no longer see the new > entries from syslog. > > In any case, opening a logfile with "vi" is a bad idea, you should use a > more appropriate tool such as "less", or if you really want to use "vi" > commands, use "vi -R" or "view" for read-only mode. > > HTH, > Filipe Very interesting analysis. swatch uses tail -f, or something that mimics it to watch the file. I would then guess that as per your explanation, swatch contilues to watch the "old file". Mike.