Matthew,

I did wonder about this, but the scripts are run on <log-file>.0
Here's an example, from the log of time stamps (obscurely sent from Solaris
boxes at uucp.info...)

(from marklog, not rotated throughout)
Jul  8 18:07:33 sun9.ccdc.cam.ac.uk -- MARK --
Jul  8 18:11:04 sun10.ccdc.cam.ac.uk -- MARK --
Jul  8 18:11:32 sun27.ccdc.cam.ac.uk -- MARK --
Jul  8 18:16:28 131.111.113.101 -- MARK --
Jul  8 18:21:59 sun3 -- MARK --
Jul  8 18:41:59 sun3 -- MARK --
<*snip*> - just sun3
Jul  9 10:41:59 sun3 -- MARK --
Jul  9 11:01:59 sun3 -- MARK --

(cut to /var/log/messages) - Manual restart of syslogd
Jul  9 11:20:42 sun3 syslogd: exiting on signal 15
Jul  9 11:20:42 sun3 syslogd: restart

(meanwhile, back in marklog)
Jul  9 11:22:34 sun22.ccdc.cam.ac.uk -- MARK --
Jul  9 11:24:49 sun16.ccdc.cam.ac.uk -- MARK --
Jul  9 11:25:32 sun25.ccdc.cam.ac.uk -- MARK --

> can you do this:
> 	- run ktrace on the syslogd to find out what is it doing...
> 	- use fstat (or lsof if you have that installed) to find out
> 	  what fd/inode syslogd is writing too/reading from..
> 
> does syslogd recvfrom() packets ?  does the inode being written
> correspond to the inode of the log file?  (ie, have you somehow
> gotten syslogd writting to a file that has been renamed, or deleted?)

The impression I get is that the packets aren't making it out of recvfrom. I'll
do the above next time my log files go quiet... Thanks :-)

Dan.

P.S. The syslogd diff was a small one, to ensure that time stamps were written,
no matter what...

$NetBSD: syslogd.c,v 1.16 1997/10/17 13:49:37 lukem Exp $

(line 552)
                /* don't output marks to recently written files */
#if 0
                if ((flags & MARK) && (now - f->f_time) < MarkInterval / 2)
                        continue;
#endif