I see for syslog logging, kill -HUP is used.
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
I understood that -HUP is used because daemons like syslog, when they catch the SIGHUP, will try to restart itself and thus all the openfiles will be refreshed.
I do not understand why they need to be refreshed.
If syslog does only appending new log to the log files, the open files would be in write mode. If that is the case, when the log switching happens and at some point when the old log file entry in the filesystem is removed, won't it be creating a new file automatically when it needs to append a new log line (as afterall syslog service is running as root)?
I think the difference is more in the understanding of w and u modes. I am unable to come to a quick conclusion on it.
Also, why use only kill -HUP, why not restarting the service. Will there be any difference?
Best Answer
Generally services keep the log files opened while they are running. This mean that they do not care if the log files are renamed/moved or deleted they will continue to write to the open file handled.
When logrotate move the files, the services keep writing to the same file.
Example: crond will write to /var/log/cron.log. Then logrotate will rename the file to /var/log/cron.log.1, so crond will keep writing to the open file /var/log/cron.log.1.
Sending the HUP signal to crond will force him to close existing file handle and open new file handle to the original path /var/log/cron.log which will create a new file.
The use of the HUP signal instead of another one is at the discretion of the program. Some services like php-fpm will listen to the USR1 signal to reopen it's file handle without terminating itself.