[...] > There also apepars to be a bug in syslog. If you do something like: > > grep -v "ROOT" messages > mmm; mv mmm messages > > Logging is disabled, I suspect this problem is that the file pointer > maintained by syslog is getting ahead of the physical EOF, and thus > writes will fail, but this is just a guess, and I havent looked at the > source to linux's syslog. This isn't a bug. Or rather, you don't understand fully what happens here. Just because the file is (now) there, doesn't mean it will be appended to. You need it to reread the syslog.conf file (either restart or kill -HUP). When you do "mv mmm messages", you "delete messages", but syslogd keeps it open and it never gets "deleted" until syslogd closes...to get a better idea of what happens, use ls -li, keeping in mind that open files are known by inode numbers, not names. Oh, using lsof/ofiles/fuser helps to show what really happens. ...which leads to a somewhat curious little number in variations of "newsyslog" which I've seen do essentially this: mv messages messages.0 gzip messages.0 touch messages kill -HUP syslogd ...or any other combination where the compress is before the kill -HUP. Correctly done, the compress should be last.