I have an extremely busy log file (let's call it /var/log/service.log) that is also frequently searched for troubleshooting reasons. Output to it is nearly continuous and 24/7. It probably puts out around 1-2 GB/day, but we need all of it.
Because fgrep of a large log file is impractically slow, there is a need to rotate frequently. I have logrotate set to run in /etc/cron.hourly, with an hourly directive and a size limit of 512M or so.
This works as expected: the file is rotated from /var/log/service.log to /var/log/service.log-20150810 or what have you. The problem is, the renaming is just a cosmetic change on the inode/directory entry, so rsyslogd continues writing to /var/log/service.log-20150810 now and for some time, while the newly created /var/log/service.log sits empty. At some point, rsyslogd does decide to start writing to the new one instead, but I am not clear on its rhyme or reason for doing so.
Anyway, what I need is some way to "kick" rsyslogd to tell it to start writing to a new, pristine /var/log/service.log following the log rotation. Sending it SIGHUP doesn't seem to do the trick. Any ideas that don't involve potentially losing lots of log entries (i.e. restarting rsyslogd) would be appreciated!
(Side note: I gather that the logrotate naming scheme would lead to /var/log/service.log.1 and whatnot, so, I'm a bit puzzled to see /var/log/service.log-20150810 alongside it. Does rsyslogd do its own rotation internally, too? Are there some adverse implications to this?)
Many thanks in advance!
