How to stop Novell Audit LCache process gracefully...

by in Security

Why should I stop LCache?

When you change any configuration properties or configurable options in the Platform Agent's configuration property (logevent.conf/cfg) file, you have to stop and start LCache. This you have to do because both the Platform Agent and LCache read the configuration property file only once at the time of starting / loading. If a user wants his changes made in the logevent.conf file to be in place, he has to stop and start the LCache process. The same thing applies to the Platform Agent as well.

How to stop LCache?

With the Platform Agent it is very easy if a user wants to stop (unload) PA. He just needs to stop the logging application. It will unload the Platform Agent (logevent library) also, because the Platform Agent is just a shared library. But this is little different with LCache. Because LCache is a process which will be started by the Platform Agent library when it is loaded by any logging applications (whenever somebody makes a call to the Platform Agent's exposed API – LogOpen). The Platform Agent will start LCache every time it is loaded by any logging application but there is no program or script or command to stop LCache manually. The Platform Agent checks if the LCache process is running or not. If the LCache process is already running, the Platform Agent just establishes a connection to it and starts sending information. If the LCache process is not running, the Platform Agent will start it and then establishe a connection for sending events.

In the case of Linux (SLES-9 and 10) with eDirectory, whenever eDirectory is stopped the LCache process also will be stopped. In Linux, though the application is not taking any care to stop their child process, OS will by default provides this facility but this is not true with Solaris. When the Platform Agent is loaded by eDirectory, PA also will become the part of eDirectory and hence when PA starts (forks) LCache, it will become the child process of eDirectory (If you kill (kill -9) LCache process while eDirectory is running you will get defunct process of LCache). But in case of Solaris even if you stop eDirectory, the LCache process will not be stopped. LCache process still continues running independently. The Platform Agent will not be loaded (used) only by eDirectory, there are so many applications which uses Platform Agent. Unlike an eDirectory on Linux (SLES), when you stop eDirectory, the LCache process will not be stopped on Solaris OS.

Ideally the logging application has to stop its child processes also while it is going down or stopping. But some applications like IDM's Remote Loader and eDirectory on Solaris, does not stop the LCache process. In such cases, the user may want to stop the LCache process manually and gracefully not abruptly which may cause some data loss. The LCache process can be gracefully stopped by sending a TERM signal to running LCache process. In LCache code, the SIGTERM signal is handled to shut down the LCache process gracefully.

$ kill -TERM 'pgrep lcache' 


kill -15 'pgrep lcache'

$ kill -SIGTERM 'pgrep lcache'

NOTE: 'pgrep lcache' will get you the pid of running LCache process. You can replace 'pgrep lcache' with the running LCache process id also.

Even though many Platform Agents are using LCache for sending the events on every client machine, only one process of the LCache will be running. Unlike the Platform Agent, every logging application will have their own copy of the Platform Agent (library).

The above command sends the SIGTERM signal to the running LCache process. When LCache gets the SIGTERM signal, it will close all the handles of the Platform Agent and then stops LCache gracefully without any data loss.

Please note that if the LCache is started inside eDirectory, then the user will not be able to send any signals to the LCache process. Because eDirectory has blocked all the signals and the same signal mask will be inherited to its child processes.

Currently LCache will become the child process of logging applications (like eDirectory) from which the LCache process is started. To avoid the problem of stopping the logging application (eDirectory in Linux) to stop the LCache process and inheriting signal mask which stops LCache receiving any signals. There is an enhancement going on to make LCache, an independent process and also the signal (SIGTERM) will be handled irrespective of whoever starts it.