logrotate
rotates, compresses, etc system logs
uses newsyslog
logrotate [-d|--debug] [-v|--verbose] [-f|--force] [-s|--state file] config_file [ …]
Example:
sudo logrotate -v /etc/logrotate.d/rsyslog 2>&1 | sed --unbuffered '/Creating new state/d' |more
sudo service rsyslog restart ;
service rsyslog status|tail -n 10
Omiting sudo
is good for testing however it will cause:
error: error setting owner of /var/lib/logrotate/status.tmp to uid 0 and gid 50: Operation not permitted
Any process (including remote ones) can generate log file entries using logger
.
logrotate
manages logs by providing rotation, compression,
removal and mailing of log files.
Logs are rotated periodically or when they grow large.
Run as a cron job,
Config files MUST have mode rw-r--r--
!
Multiple config files may be given on the command line, later options override.
A directory on the command line (example: /etc/logrotate.d
causes all files in that directory to be used.
OPTIONS
-d --debug no changes are made to logs or the state file, implies --verbose .
| -v --verbose output to stderr. Redirect with 2>1 or -l rotate.log
| -l rotate.log
Log verbose output to rotate.log , as with -v . Overwritten on each execution.
| -f --force rotation is forced. NOT useful after adding new entries to the config file or to remove old logs
| -m --mail command
command should accept subject and recipient.
command is expected to read a message on standard input and mail it to the recipient.
Default:/usr/bin/mail -s
| -s --state statefile
use an alternate state file. useful if run as a different user for various sets of log files.
Default /var/lib/logrotate/status example.
| --usage Prints a short usage message.
| -? --help Usage: logrotate [OPTION...] configfile
-d, --debug Don't do anything, just test (implies -v)
-f, --force Force file rotation
-m, --mail=command Command to send mail (instead of /usr/bin/mail)
-s, --state=statefile Path of state file
-v, --verbose Display messages during rotation
Help options:
-?, --help Show this help message
--usage Display brief usage message
| | | | | | | | |
Configuration file
May be specified on the command line.
Options with arguments may NOT have any data following the arguments. (for example weekly … su root staff
) is not permitted.
Lines before the first filename set global options.
Local definitions override global ones and later definitions override earlier ones and specify logfiles to rotate. N.B. Specifying a specific config files will not use global options from "master" config file.
No [TAB] characters permitted!
Example:
# global options effect all files
compress
maxsize 100000
#####
/var/log/messages {
rotate 5
weekly
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
"/var/log/httpd/access.log" /var/log/httpd/error.log {
rotate 5
mail wwwadmin@my.org
size 100k
sharedscripts
postrotate
/usr/bin/killall -HUP httpd
endscript
}
/var/log/news/* {
monthly
rotate 2
olddir /var/log/news/old
missingok
postrotate
kill -HUP `cat /var/run/inn.pid`
endscript
nocompress
}
Explaination:
A #
begins a comment.
/var/log/messages
will go through five weekly rotations (a month plus 1 week).
After it has been rotated (but before the old version has been compressed),
/sbin/killall -HUP syslogd
will be executed to wake up syslogd
and get it to look around.
Both /var/log/httpd/access.log
and /var/log/httpd/error.log
are rotated when it grows over 100k in size,
the old logs files are mailed (uncompressed!) to wwwadmin@my.org
after going through 5 rotations, rather than being removed.
With sharedscripts the postrotate script will only be run once (after the old logs have been compressed), not for each log.
Names may need to be enclosed in quotes
All files in /var/log/news
are rotated on a monthly basis.
This is a single rotation directive and if errors occur for more than one file, the logs are not compressed.
If the directory /var/log/news
does not exist, an error is reported which is not stopped with the missingok
.
Use wildcards with caution. Specifingy *, will rotate all files, including previously rotated ones.
Use olddir
or a more exact wildcard (such as *.log).
Options in Configuration
[no]compress Old versions of logs
| [no]delaycompress Postpone compression of the previous log until the next cycle.
Results in log (the active one) log.1 log.2.gz
Used when a process might continue writing to the previous log (remember logrotate can log non-syslog files)
| rotate count
rotate count times before being removed or mailed. 0, old versions are removed.
| | | |
[no]create mode owner group |
Immediately after rotation (before postrotate ) new file is created
numeric mode for the file (as chmod ).
Defaults to the same values as the original
Disabled with nocreate . Does not create files not rotated ex missing.
|
[no]copy copy log, don't change the original used to make a snapshot of the current log.
Useful when some other utility needs to truncate or parse the log.
create is ignored.
| [no]copytruncate
Rotating is done by creating a copy, then truncating the original to zero in place.
nocopytruncate moves the old log and optionally creating a new one,
Use when a process cannot be told to close the log and might continue appending to the previous log ( During the small time between copying the log and truncating it entries might be lost.).
create is ignored.
|
hourlyoperate every hour. /etc/cron.daily executes logrotate daily.
| dailyoperate every day.
| weekly | operate if the current weekday is less than the weekday of the last rotation or
if more than a week has passed since the last rotation.
Normally the same as rotating logs on the first day of the week, but better if logrotate is not run every night.
| monthly operate the first time logrotate is run in a month (normally on the first day of the month).
| yearly | operate if the current year is not the same as the last rotation.
| | | |
[no]dateext name old versions by adding a date extension (YYYYMMDD)
| dateformat format_string
Specify dateext using the notation %Y %m %d and %s .
Default -%Y%m%d . the character separating log name from the extension is part of the dateformat string.
The datestamps generated by this format must be properly sortable based on time.
For example do NOT use %m-%d-%Y .
| dateyesterday Use yesterday's date for dateext extension, so rotated log name is the same messages
| extension ext Log files with ext extension keep it after the rotation. If compression is used, the compression extension (normally .gz ) appears
after ext . For example to have a logfile named mylog.foo and want to rotate it to
mylog.1.foo.gz instead of mylog.foo.1.gz .
| addextension ext
Log files are given the final extension ext after rotation. If the original file already ends with ext, the extension is
not duplicated, but merely moved to the end, i.e. both filename and filenameext would get rotated to filename.1ext. If
compression is used, the compression extension (normally .gz) appears after ext.
|
include file|directory If a directory is given, most of the
files in that directory are processed, in alphabetic order, before processing of the including file continues.
Files which are not regular files (such as directories and named pipes) and files whose names end with one of the taboo extensions, as specified by tabooext are not processed.
| tabooext [+] exten-list
If a + precedes the list, the list is augmented, otherwise it is replaced.
The initial list is :
.rpmsave, .rpmorig, ~, .disabled, .dpkg-old, .dpkg-dist, .dpkg-new, .cfsaved, .ucf-old, .ucf-dist, .ucf-new, .rpmnew, .swp, .cfsaved, .rhn-cfg-tmp-*
size nnn[k|M|G]Rotate if bigger than nnn k ilobytes, M egabytes, and G igabytes.
| [not]ifempty Rotate even if empty, default
| maxsize bytes
Rotate when bigger than bytes even before the time interval (daily, weekly, monthly, or
yearly ).
timestamp of a log is considered as well.
| minsize bytes
Rotate if bigger than bytes , but not before the time interval (daily, weekly,
monthly, or yearly).
size is similar except that it is mutually exclusive with the time interval options, and it causes logs to
be rotated without regard for the last rotation time. When minsize is used, both the size and timestamp of a log are considered.
| maxage days Remove (and mail) rotated logs older than days days. if the log is to be rotated.
| minage days
Do not rotate logs which are less than days days old.
| [no]missingok If the log is missing, continue without error . no : issue an error.
| [no]olddir dir Logs are moved into subdirectory dir or an absolute path
on the same physical device as the log.
no : Logs are rotated in the directory they reside in (overrides olddir ).
| [no]createolddir
mode owner group
If the directory specified by olddir does not exist, it is created.
|
firstaction
…
/endscript
The lines between firstaction and endscript (both of which must appear on lines by themselves) are executed (using /bin/sh )
once before all logs that match the wildcarded pattern are rotated,
before prerotate and only if at least one log will actually be rotated.
These directives must appear inside a log definition.
Whole pattern is passed to the script as first argument.
If the script exits with error, no further processing is done.
| preremove
…
/endscript
… …
once just before removal of a log file. passes the name of file which soon will be removed.
| prerotate
…
/endscript … … are executed before the log is rotated and only if the log will actually be rotated.
The absolute path to the log is passed as first argument,
If sharedscripts is specified, whole pattern is passed to the script.
| postrotate
…
endscript … … are executed
after the log is rotated.
| lastaction
…
/endscript
… … after all log files that match the wildcarded pattern are rotated, postrotate is run and only if at least one log is rotated.
Whole pattern is passed to the script as first argument.
| sharedscripts Normally, prerotate and postrotate are run for each log which is
rotated and the
absolute path to the log is passed as first argument to the script.
That means a single script may be run multiple times for logs which match multiple files
With sharedscripts the scripts are only run once, no matter how many logs match the wildcarded pattern, and
whole pattern is passed to them.
unless none require rotating, then scripts will not be run at all.
If the scripts exit with error, the remaining actions will not be executed for any logs. overrides the nosharedscripts and implies create .
| nosharedscripts Run prerotate and postrotate for every log which is rotated (default, and
overrides the sharedscripts ).
The absolute path to the log is passed as first argument to the script.
If scripts exit with error, the remaining actions will not be executed for the affected log only.
| | | | | | | |
shred Delete files using shred -u ensuring old information is unreadable.
| shredcycles count shred files count times
| noshred
| start n base extension for rotation. specify 0, logs will be rotated with a .0 extension
Files will still be rotated rotate-count times
| su user group Rotate files under this user and group
|
mail address When a log is rotated out of existence, mail it to address .
| nomail Do not mail old logs
| mailfirst with mail , mail the just-rotated file
| maillast with mail , mail the about-to-expire file, default
| |
| compresscmd Default gzip
uncompresscmdDefault gunzip
compressext Default .gz .
For compressions commands other than gzip change this.
| compressoptions Command line options passed to the compression program. default is -9 (maximum compression for gzip).
For compressions commands other than gzip change this.
| | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | |
sudo logrotate -dv /etc/logrotate.d
Errors
Potentially dangerous mode on file : 0660
group rw
error: Ignoring file because it is writable by group or others.
Removing file from state file, because it does not exist and has not been rotated for one year
In daemon.info due to [TAB]:
error: found error in file fff , skipping
error: found error in /var/log/lll.log , skipping
error: lll:1 bad rotation count '9}'
error: ffff:2 bad weekly directive ' maxsize 20k'
FILES
/var/lib/logrotate.status
Default state file.
/etc/logrotate.conf
Configuration options.
/var/lib/logrotate/status
dapie 9/24/13
logrotate state -- version 2
"/var/log/ConsoleKit/history" 2013-3-1
"/var/log/syslog" 2013-3-10
"/var/log/dpkg.log" 2013-7-10
"/var/log/auth.log" 2013-9-22
"/var/log/apt/term.log" 2013-3-1
"/var/log/mysql/mysql-slow.log" 2013-3-14
"/var/log/apt/history.log" 2013-3-1
"/var/log/samba/log.smbd" 2013-3-3
"/var/log/alternatives.log" 2013-7-10
"/var/log/debug" 2013-1-13
"/var/log/mail.log" 2013-1-6
"/var/log/kern.log" 2013-9-22
"/var/log/mysql.log" 2013-9-24
"/var/log/aptitude" 2013-1-6
"/var/log/apache2/access.log" 2013-3-14
"/var/log/wtmp" 2013-9-1
"/var/log/daemon.log" 2013-9-22
"/var/log/mail.warn" 2013-1-6
"/var/log/xdm.log" 2013-9-1
"/var/log/btmp" 2013-9-1
"/var/log/lpr.log" 2013-1-6
"/var/log/mail.err" 2013-1-6
"/var/log/mysql/mysql.log" 2013-3-14
"/var/log/samba/log.nmbd" 2013-3-6
"/var/log/user.log" 2013-9-22
"/var/log/mail.info" 2013-1-6
"/var/log/apache2/other_vhosts_access.log" 2013-3-14
"/var/log/apache2/error.log" 2013-3-14
"/var/log/cron.log" 2013-1-6
"/var/log/messages" 2013-1-13
sample output