1

-----------

Logrotate in Linux

One of the most interesting (and perhaps one of the most important as well) directories in a Linux system is /var/log. According to the Filesystem Hierarchy Standard, the activity of most services running in the system are written to a file inside this directory or one of its subdirectories.

Such files are known as logs and are the key to examining how the system is operating (and how it has behaved in the past). Logs are also the first source of information where administrators and engineers look while troubleshooting.

If we look at the contents of /var/log on a CentOS/RHEL/Fedora and Debian/Ubuntu (for variety) we will see the following log files and subdirectories.

Please note that the result may be somewhat different in your case depending on the services running on your system(s) and the time they have been running.

In RHEL/CentOS and Fedora

# ls /var/log

Log Files and Directories under CentOS 7

In Debian and Ubuntu

# ls /var/log

Log Files and Directories in Debian 8

On both cases, we can observe that some of the log names end as expected in “log”, while other are either renamed using a date (for example, maillog-20160822 on CentOS) or compressed (consider auth.log.2.gz and mysql.log.1.gz on Debian).

This is not a default behavior based on the chosen distribution, but can be changed at will using directives in the configuration files, as we will see in this article.

If logs were kept forever, they would eventually end up filling the filesystem where /var/log resides. In order to prevent that, the system administrator can use a nice utility called logrotate to clean up the logs on a periodic basis.

In few words, logrotate will rename or compress the main log when a condition is met (more about that in a minute) so that the next event is recorded on an empty file.

In addition, it will remove “old” log files and will keep the most recent ones. Of course, we get to decide what “old” means and how often we want logrotate to clean up the logs for us.

Installing Logrotate in Linux

To install logrotate, just use your package manager:

---------- On Debian and Ubuntu ---------- # aptitude update && aptitude install logrotate ---------- On CentOS, RHEL and Fedora ---------- # yum update && yum install logrotate

It is worth and well to note that the configuration file (/etc/logrotate.conf) may indicate that other, more specific settings may be placed on individual .conf files inside /etc/logrotate.d.

This will be the case if and only if the following line exists and is not commented out:

include /etc/logrotate.d

We will stick with this approach, as it will help us to keep things in order, and use the Debian box for the following examples.

Options

Being a very versatile tool, logrotate provides plenty of directives to help us configure when and how the logs will be rotated, and what should happen right afterwards.

Let’s insert the following contents in /etc/logrotate.d/apache2.conf (note that most likely you will have to create that file) and examine each line to indicate its purpose:

apache2.conf

/var/log/apache2/* { weekly rotate 3 size 10M compress delaycompress }

The first line indicates that the directives inside the block apply to all logs inside /var/log/apache2:

1. weekly means that the tool will attempt to rotate the logs on a weekly basis. Other possible values are daily and monthly.
2. rotate 3 indicates that only 3 rotated logs should be kept. Thus, the oldest file will be removed on the fourth subsequent run.
3. size=10M sets the minimum size for the rotation to take place to 10M. In other words, each log will not be rotated until it reaches 10MB.
4. compress and delaycompress are used to tell that all rotated logs, with the exception of the most recent one, should be compressed.

Let’s execute a dry-run to see what logrotate would do if it was actually executed now. Use the -d option followed by the configuration file (you can actually run logrotate by omitting this option):

# logrotate -d /etc/logrotate.d/apache2.conf

The results are shown below:

Rotate Apache Logs with Logrotate

Instead of compressing the logs, we could rename them after the date when they were rotated. To do that, we will use the dateext directive. If our date format is other than the default yyyymmdd, we can specify it using dateformat.

Note that we can even prevent the rotation from happening if the log is empty with notifempty. In addition, let’s tell logrotate to mail the rotated log to the system administrator (gabriel@mydomain.com in this case) for his / her reference (this will require a mail server to be set up, which is out of the scope of this article).

If you want to get mails about logrotate, you can setup Postfix mail server as show here: Install Postfix Mail Server

This time we will use /etc/logrotate.d/squid.conf to only rotate /var/log/squid/access.log:

squid.conf

/var/log/squid/access.log { monthly create 0644 root root rotate 5 size=1M dateext dateformat -%d%m%Y notifempty mail gabriel@mydomain.com }

As we can see in the image below, this log did not need to be rotated. However, when the size condition is met (size=1M), the rotated log will be renamed access.log-25082016 (if the log was rotated on August 25, 2016) and the main log (access.log) will be re-created with access permissions set to 0644 and with root as owner and group owner.

Finally, when the number of logs finally reaches 6, the oldest log will be mailed to gabriel@mydomain.com.

Rotate Squid Logs with Logrotate

Now let’s suppose you want to run a custom command when the rotation takes place. To do that, place the line with such command between the postrotate and endscript directives.

For example, let’s suppose we want to send an email to root when any of the logs inside /var/log/myservice gets rotated. Let’s add the lines in red to /etc/logrotate.d/squid.conf:

squid.conf

/var/log/myservice/* { monthly create 0644 root root rotate 5 size=1M postrotate echo "A rotation just took place." | mail root endscript }

Last, but not least, it is important to note that options present in /etc/logrotate.d/*.conf override those in the main configuration file in case of conflicts.

Logrotate and Cron

By default, the installation of logrotate creates a crontab file inside /etc/cron.daily named logrotate. As it is the case with the other crontab files inside this directory, it will be executed daily starting at 6:25 am if anacron is not installed.

Otherwise, the execution will begin around 7:35 am. To verify, watch for the line containing cron.daily in either /etc/crontab or /etc/anacrontab.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Rotating Linux Log Files - Part 2: logrotate

logrotate is the default application used to rotate all other log files not handled by syslog itself (details on rotating system log files can be found in part 1 of the article). It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large.

Normally, logrotate is run as a daily cron job. Let’s look into the script that was installed in /etc/cron.daily for this:

cat /etc/cron.daily/logrotate #!/bin/shtest -x /usr/sbin/logrotate || exit 0 /usr/sbin/logrotate /etc/logrotate.conf

Logrotate will look into /etc/logrotate.conf for its configuration directives.

cat /etc/logrotate.conf # see "man logrotate" for details# rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4# create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed#compress# packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp, or btmp -- we'll rotate them here /var/log/wtmp { missingok monthly create 0664 root utmp rotate 1} /var/log/btmp { missingok monthly create 0664 root utmp rotate 1}# system-specific logs may be configured here

So we can see it defines some default parameters (weekly, rotate 4, create, compress) and includes all the files from /etc/logrotate.d/. Also it defines the rotation for some files that are not handled by syslog itself, like wtmp. For example, I would want to keep more than one month of old wtmp logs, then I would have to change the parameter rotate 1.

Inside the /etc/logrotate.d/ various packages will install their own configuration file that will ensure their logs are properly rotate (on my fresh Debian install I have the following files: acpid apache2 aptitude base-config dpkg exim4-base). As long as you don’t change the paths to those logs the rotation will work out of the box. But in case you change them you might want to look inside this folder and make the proper adjustments to the log file definitions, to assure they will be rotated. For example, let’s look at the apache rotation file created here by the apache2 package:

cat /etc/logrotate.d/apache2 /var/log/apache2/*.log { weekly missingok rotate 52 compress delaycompress notifempty create 640 root adm sharedscripts postrotate if [ -f /var/run/apache2.pid ]; then /etc/init.d/apache2 restart > /dev/null fi endscript }

We can see that by default it will rotate apache logs found in /var/log/apache2/ that have the extension .log, on a weekly basis and keep 52 archives (about 1 year) of the old data. Once the rotation is completed it will restart the apache daemon. You can check logrotate manual page for all the available parameters, as they are self-explanatory. Now, if I would like to keep my own apache log files in a different location (/var/weblogs for example) and rotate them monthly then I will need to make the following changes:

/var/weblogs/*.log { monthly ...

Probably, I will also want to change the default hour when the daily cron is running to have it on midnight. Anyway this is just an example and you will most certainly configure this based on your needs.

Even though I didn’t intended with this article to describe what each configuration parameter of logrotate means (as you can easily find out yourself), but to show what is the logic and its functionality, I would like to add that while configuring and testing this you might find very useful the debug option:

logrotate -d file

This will show you what it will do, without actually rotating anything, and this is most valuable while testing complex setups that you don’t want to ‘play’ with the logs to see if your configuration will work as you want it.

Also logrotate -f file will force the rotation even if that would have normally not occurred (logrotate will only assume it need to run and rotate logs once per day).

Note: as mentioned also in part 1, RedHat based systems (RHEL, Centos, Fedora, etc.) will also rotate by default the ‘system logs’ using **logrotate **and not syslog’s internal method as Debian systems. This is handled by default with the logrotate configuration file:

cat /etc/logrotate.d/syslog /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron { sharedscripts postrotate /bin/kill -HUP cat /var/run/syslogd.pid 2> /dev/null 2> /dev/null || true endscript }

The sharedscripts parameter means that the postrotate script will only be run once (after the old logs have been compressed), not once for each log which is rotated. So nothing special defined here, besides the log files that will be rotated, and it will use the defaults from /etc/logrotate.conf.

-----------------------------------

HOW TO CUSTOMIZE LOG ROTATE TIME DURATION

In this example case /var/log/maillog.log will be rotated yearly

1. By default system rotates all major OS logs by checking syslog file located in /etc/logrotate.d/

# vim /etc/logrotate.d/syslog

/var/log/cron

#/var/log/maillog

/var/log/messages

/var/log/secure

/var/log/spooler

{

sharedscripts

postrotate

/bin/kill -HUP 'cat /var/run/syslogd.pid 2> /dev/null' 2> /dev/null || true

endscript

}

2. To add separate log rotation policy for /var/log/maillog simply hash the entry in above syslog file and create separate file in /etc/logrotate.d/maillog

# cd /etc/logrotate.d/

# touch maillog

# chmod 644 maillog; chown root:root maillog

# vim maillog

/var/log/maillog {

yearly

rotate 2

}

# logrotate -d /etc/logrotate.d/maillog

fdgfdgfd

------------