How does logrotate work?
I am trying to monitor a log file which rotates frequently by logrotate. but i am unable to get that correctly. can any one explain how actually logrotate works?
Is a file renamed and a new file is created ?
or is a file copied with a new name and the current file is emptied?
Before rotation:
131887 -rw-r--r-- 1 root root 11385 Sep 25 03:40 /var/log/sas.logAfter rotation:
131887 -rw-r--r-- 1 root root 0 Sep 25 04:40 /var/log/sas.log
131911 -rw-r--r-- 1 root root 11385 Sep 25 04:40 /var/log/sas.log.12 Answers
If the option truncate is enabled in configuration file, then the file will not be moved - its content will only be copied to another file which is newly created and the current file will be cleared, so the inode id will not change. Actually the file is never changed.
Upon rotation the current logfile is moved and possibly compressed if that is specified. Then it is created anew. [looking for a source other than my experience]
That is a problem if a service is running that has the log file opened at the time of rotation. The file will be unlinked, but the disk space not really freed because the file is still open.
That is why services often install a more elaborate logrotate script handling the rotation. As an example look at /etc/logrotate.d/nginx defining rotation behaviour for the nginx webserver:
[....]
postrotate invoke-rc.d nginx rotate >/dev/null 2>&1
endscriptThe postrotate block is executed after the new log file has been created. It invokes the service script of nginx with rotate telling the service to reopen its log file.
