cannot rm messages operation not permitted
 

I have a /var/log/messages and /var/log/syslog file that have grow to an unmanageable size (800MB). I am unable to rm, mv, or truncate these log files and receive the error "operation not permitted". I am root and I have shutoff syslogd at start up. What could possibly be preventing root from administering these logs?

I even configured my syslog.conf to write "messages" and "syslog" to temp files instead of the default /var/log/messages and /var/log/syslog respectively and this had no effect. Since then, syslog is turned off.

Any help would be greatly appreciated.

Shut down syslogd and klogd, then run 'F="/var/log/messages"; ls -alZ $F; stat $f; lsattr $F; fuser $F' to show what still has the file open and if any (extended) attributes are in use? And why 'rm' instead of the default practice of logrotating things?

solved...thank you
 

You hit the nail on the head. The lsattr showed that the -a attribute was set which allows only for the appending of the file. I changed this ( chattr +a <filename> ) and I was able to truncate the log.

I will manage the logs going forward with logrotate. I just inherited this particular server at work and it's logs were not properly managed. I have a proftpd process that writes to the log quite a bit and this would account for its massive size. I will look to also find a way to remedy the proftpd output separately. Thank you for your help. Much appreciated!

Note that if you would like to retain the extended attribute, logrotate pre/postscripts can un/set it, offering only a small window of opportunity for (whatever) activity.


Maybe revisit http://www.castaglia.net/proftpd/doc...O-Logging.html for changing the daemon facility to one of syslog.conf's local.* slots and a custom logfile name or the FIFO method?