https://stackoverflow.com/questions/15273061
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianYour suspicions are correct. :-)
A kqueue "event" is "expanded" if it is not in the process of being consumed when a second identical event occurs. That is, suppose the sequence of events at the low level is something like this:
1: you start monitoring the log file for writes
2: something writes to the log file (this adds a "write" notice to the kqueue)
3: your process is notified, but does not have a chance to go look yet
4: something (same something as step 2, or different, does not matter)
writes more to the log file (this merely "expands" the existing notice,
with no effect in this case)
5: your process finally gets a chance to read the "file was written" notice
from the kqueue
When step 5 occurs, the "file was written" notice will just be the one notice. It is up to your code to figure out how much got written. For instance, you can use fstat() to check the length of the file at step 1, and then another fstat() after step 5. If the file is only ever appended-to, the size difference between these points is the "new data" you care about.
Note that if you see (say) 100 bytes at step 1 and 500 after step 5—say, in a step 7:
7: you fstat the file
and later get another "file was written" notice, it's possible that there was actually a "step 6" where another write happened to the file. So you should be prepared for an even later step to find that 0 bytes were added, even though you got a notice that bytes were added, because you may have already read them after the note was appended to the kqueue.
If you're watching syslog type logs, note that they get "turned over" with the file being renamed (and then sometimes compressed etc) and a new file created, e.g., "messages" becomes "messages.0.bz2" and a new "messages" is created. You can watch the directory, along with the file, and check for new file creations, to catch such cases.
