LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-17-2011, 11:50 AM   #1
unix1adm
Member
 
Registered: Oct 2008
Posts: 649

Rep: Reputation: 32
question about logrotate


I want to keep my /var/log/messages file for 99 days. My security people need this info.
I am running red hat 5.7

from the reading i did I think I just need to add a file to
/etc/logrotate.d
cat messages:

/var/log/messages {
rotate 99
daily
postrotate
/sbin/killall -HUP syslogd
endscript
}


Does this look right?

EDIT;
My user just gave me a new requirement...

He wants to keep 99 revisions (messages.0 to messages.99) with each 2MB if possible.

Last edited by unix1adm; 10-17-2011 at 12:09 PM.
 
Old 10-17-2011, 01:45 PM   #2
irabinovitch
LQ Newbie
 
Registered: Sep 2003
Location: Los Angeles, CA
Distribution: Ubuntu, Debian
Posts: 13

Rep: Reputation: 1
To rotate when the log reaches a give size rather than daily, replace the string daily with the size directive.

"size size
Log files are rotated when they grow bigger then size bytes. If
size is followed by M, the size if assumed to be in megabytes.
If the k is used, the size is in kilobytes. So size 100, size
100k, and size 100M are all valid.
"

So in your case for 2M you would do something along the lines of:

/var/log/messages {
rotate 99
size 2M
postrotate
/sbin/killall -HUP syslogd
endscript
}

Edit: unspawn is correct in stating that for the above to work you would need to run logrotate more frequently. Depending on how/frequent you are running and how many messages you are received each day, you could easily rotate through the all 99 archives.

From the man page:

" Normally, logrotate is run as a daily cron job. It will not modify a
log multiple times in one day unless the criterium for that log is
based on the log’s size and logrotate is being run multiple times each
day....
"

Last edited by irabinovitch; 10-17-2011 at 01:59 PM.
 
Old 10-17-2011, 01:47 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
If logrotate only runs once a day then the "rotate" directive will ensure the log gets rotated 99 times but combining it with "size" makes no sense as the log will be rotated anyway. OTOH if /var/log/messages fills that quickly that you need to rotate the log several times a day then "size" does work but it'll hit the "rotate" limit several times quicker than with a daily run. What's a 2MB size anyway these days?...
 
Old 10-17-2011, 02:57 PM   #4
unix1adm
Member
 
Registered: Oct 2008
Posts: 649

Original Poster
Rep: Reputation: 32
So if i am correct I should copy the /etc/cron.daily/logrotate script to /etc/cron.hourly ad the very minimum to get it to check the logs file sizes on an hourly basis.
 
Old 10-17-2011, 04:27 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Sure but it would be a waste to run logrotate on all logs so run something like 'logrotate /etc/logrotate.d/syslog' instead.
 
Old 10-18-2011, 01:13 PM   #6
unix1adm
Member
 
Registered: Oct 2008
Posts: 649

Original Poster
Rep: Reputation: 32
Ok maybe that explains this error i see in my email today..

/etc/cron.hourly/logrotate:

error: syslog:1 duplicate log entry for /var/log/messages
error: found error in /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron , skipping

So based on what you said above do I need to make 2 /etc/logrotate.conf files and edit out what I dont need?

What I am missing here. I dont see any entries for messages in this file.

Or do I need to move the messages file into a different dir??

Last edited by unix1adm; 10-18-2011 at 03:38 PM.
 
Old 10-18-2011, 03:40 PM   #7
unix1adm
Member
 
Registered: Oct 2008
Posts: 649

Original Poster
Rep: Reputation: 32
re-read all this again

I think you mean this:

#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.d/messages <<<< changed this line...
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0
 
Old 11-03-2011, 03:06 PM   #8
unix1adm
Member
 
Registered: Oct 2008
Posts: 649

Original Poster
Rep: Reputation: 32
Well i did as mentioned above but I am still getting the pesky emails... So I am sure something is missing. Have not had a change to get back to it until now.

Cron <root@myserver> run-parts /etc/cron.daily

/etc/cron.daily/logrotate:

error: syslog:1 duplicate log entry for /var/log/messages
error: found error in /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron , skipping


Here is my syslog.conf


etc]# cat syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#####*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.*;authpriv.*;cron.* /var/log/messages
*.info;mail.none;authpriv.none;cron.none @myserver99

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log
 
Old 11-04-2011, 07:56 AM   #9
unix1adm
Member
 
Registered: Oct 2008
Posts: 649

Original Poster
Rep: Reputation: 32
got it worked out... Found my error. Had a typo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Logrotate question manouche Linux - Software 4 08-14-2010 08:43 PM
logrotate question cytchiu Linux - Enterprise 2 06-03-2009 08:54 AM
logrotate question rimvydazas Linux - Software 9 12-21-2007 11:39 AM
a question about logrotate? hueofwind Linux - Newbie 3 11-08-2005 09:08 PM
A question on logrotate marcoc Linux - Networking 2 02-21-2003 06:07 PM


All times are GMT -5. The time now is 10:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration