The source file lost

[JoyChou93]

When using logrotate, the source file is renamed, causing the source file to be lost. You need reload syslog-ng, and the source files can be re generated. Is there a better way?

/etc/init.d/syslog-ng reload >/dev/null

[furiel]

Yes: with recently enough syslog-ng there is a reopen command for syslog-ng, which does not do a full reload, only the files are reopened. See PR #1530 and #1700.

Alternatively, file destination supports template for filename. The filename can depend on the current time, thus messages are automatically written to another file based on current time. This can be an alternative to logrotate.
For example with stardate:

 destination { file("/tmp/$(stardate --digits 5 ${R_UNIXTIME)");};

but there are ${R_YEAR}, ${R_HOUR} and similar macros as well.

[JoyChou93]

@furiel so what's the reopen command ?

My config is like this:

destination test { file("/var/log/syslog-ng.log"); };

[furiel]

It is a recent addition to syslog-ng, unfortunately not yet in the documentation. It is intended to use in the logrotate scripts instead of reload, because reload is relatively heavy. Reopen just reopens the destination files: sources, destinations parsers are not reinitialized.

./syslog-ng-ctl --help
Syntax: ./syslog-ng-ctl <command> [options]
Possible commands are:
    stats                Get syslog-ng statistics in CSV format
    verbose              Enable/query verbose messages
    debug                Enable/query debug messages
    trace                Enable/query trace messages
    stop                 Stop syslog-ng process
    reload               Reload syslog-ng
--->reopen               Re-open of log destination files
    query                Query syslog-ng statistics. Possible commands: list, get, get --sum
    show-license-info    Show information about the license

This command also connected to the SIGUSR1 signal. So alternatively you can send SIGUSR1 to the syslog-ng process. It should do the same.

[JoyChou93]

$ syslog-ng-ctl -help
Syntax: syslog-ng-ctl <command> [options]
Possible commands are:
    stats        Dump syslog-ng statistics
    verbose      Enable/query verbose messages
    debug        Enable/query debug messages
    trace        Enable/query trace messages

So, how to send SIGUSR1 to syslog-ng process? I didn't find the document.

[JoyChou93]

@furiel So how to send SIGUSR1 to the syslog-ng process. I didn't find the doc.

[JoyChou93]

The command tests ok.

/bin/kill -SIGUSR1 `cat /var/run/syslog-ng.pid 2> /dev/null` 2> /dev/null

[furiel]

The reopen feature is available only from 3.12.1. Either with syslog-ng-ctl reopen or with sigusr1.

[JoyChou93]

@furiel thanks.

[ElectricRCAircraftGuy]

The command tests ok.

/bin/kill -SIGUSR1 `cat /var/run/syslog-ng.pid 2> /dev/null` 2> /dev/null

This works too (referring to my "Option 2" below), and is clearer in my opinion:

Call any one of these commands after performing a logrotate

...in order to cause syslog-ng to re-open the file descriptor and begin logging to the new log file instead of to the now-rotated and renamed old log file.

# Option 0 (no longer recommended): call the heavier `reload` command after log rotation
syslog-ng-ctl reload

# Option 1 (RECOMMENDED): call the new `reopen` command after log rotation
syslog-ng-ctl reopen

# Option 2 (same thing as Option 1 above): send the `SIGUSR1` kill signal to the running `syslog-ng`
# process
pid="$(cat /var/run/syslog-ng.pid)" kill -SIGUSR1 $pid

Sample /etc/logrotate.d/syslog-ng logrotate config file:

/var/log/auth.log 
/var/log/user.log
/var/log/messages  
{
    rotate 7
    size 20M
    delaycompress
    missingok
    # Required for syslog-ng after each rotation, to cause it to reopen log files so it can begin
    # logging to the new log file under a new file descriptor, rather than to the old log file
    # which has now been rotated and renamed. 
    postrotate
        # After rotating the log files, cause syslog-ng to reopen the destination log files so it
        # will log into the newly-created log files rather than into the now-rotated and renamed 
        # ones.
        #
        # This ensures, for example, that syslog-ng will move its file descriptor to begin logging
        # into the main "/var/log/messages" log file again, instead of into the
        # now-rotated "/var/log/messages.1" file, which the old file descriptor (fd) is now
        # pointing to since that fd's filename was just renamed from "/var/log/messages"
        # to "/var/log/messages.1" during the log rotation.

        # Option 1:
        syslog-ng-ctl reopen
        # OR, Option 2
        # pid="$(cat /var/run/syslog-ng.pid)" kill -SIGUSR1 $pid
    endscript
}

See also

1. https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/36#TOPIC-1829044 - says to use syslog-ng-ctl reload command after each log rotation
   1. My recommended fix to the documentation: 3.37 and earlier documentation should recommend calling syslog-ng-ctl reopen instead of syslog-ng-ctl reload after log rotation #4166
2. ***** The source file lost #1774 (comment) - where I learned about the existence of the syslog-ng-ctl reopen command, and how it is now recommended to be used after log rotation instead of the syslog-ng-ctl reload cmd.
3. https://man7.org/linux/man-pages/man8/logrotate.8.html
4. Buildroot configuring the meaning of the reload cmd in this file here??: https://github.com/buildroot/buildroot/blob/master/package/syslog-ng/S01syslog-ng
5. My personal notes. Search them for "logrotate', "/etc/logrotate.d/syslog", etc.: eRCaGuy_dotfiles/git & Linux cmds, help, tips & tricks - Gabriel.txt
6. My answer: Unix & Linux Stack Exchange: Buildroot: syslog-ng logs into the "/var/log/messages.1" file instead of "/var/log/messages"