Thank you all for the nice responses. I will try to answer/clarify:
Patrick, yeah, 1GB. Our InfoSec folks have an insane level of logging turned on in sendmail. The file size you saw was from April 27 until now.
James, I think I could script what you are suggesting and possibly get away with it. The switcheroo would have to be lightning fast, though. I'm a little unsure how unhappy syslogd would be over that. When I did the mv, would the inode change for the mail.log file that syslogd is writing to?
John, I already tried SAM in the manner you describe. See my 18:48 GMT reply to Patrick.
Jordan, I had to think about yours for a bit. Let me make sure I understand what you propose:
a. rename mail.log to mail.log.old (syslogd now writing sendmail logging to mail.log.old?)
b. create a new, zero-sized mail.log
c. SIGHUP syslogd (flip syslogd's writing of sendmail logging back to mail.log?)
d. rename mail.log to mail.log.new (syslogd now writing to mail.log.new?)
e. pull all of the june messages out of mail.log.old and put them in a new mail.log file.
f. append mail.log.new to the end of mail.log and SIGHUP syslogd (flip syslogd's writing of sendmail logging back to mail.log?)
Let me know (post here again) if I understand everything correctly. It sounds like it will do exactly what I need.
Folks, what makes this a bit complicated is that log messages are being written to the end of mail.log at a rate of one to five messages PER SECOND. That doesn't allow me any time to dawdle around diddling with files. However, what Jordan proposes looks like it can be done with everything hot because SIGHUP'ing syslogd can be made coincident with filename changes.
Thanks again everybody. Once I get a confirmation from Jordan, I'm going to try his procedure. I will post a final follow-up indicating success or failure.
Cheers,
Jim
