I want to keep my /var/log/messages file for 99 days. My security people need this info.
I am running red hat 5.7

from the reading i did I think I just need to add a file to
/etc/logrotate.d
cat messages:

/var/log/messages {
rotate 99
daily
postrotate
/sbin/killall -HUP syslogd
endscript
}


Does this look right?

EDIT;
My user just gave me a new requirement...

He wants to keep 99 revisions (messages.0 to messages.99) with each 2MB if possible.

To rotate when the log reaches a give size rather than daily, replace the string daily with the size directive.

"size size
Log files are rotated when they grow bigger then size bytes. If
size is followed by M, the size if assumed to be in megabytes.
If the k is used, the size is in kilobytes. So size 100, size
100k, and size 100M are all valid.
"

So in your case for 2M you would do something along the lines of:

/var/log/messages {
rotate 99
size 2M
postrotate
/sbin/killall -HUP syslogd
endscript
}

Edit: unspawn is correct in stating that for the above to work you would need to run logrotate more frequently. Depending on how/frequent you are running and how many messages you are received each day, you could easily rotate through the all 99 archives.

From the man page:

" Normally, logrotate is run as a daily cron job. It will not modify a
log multiple times in one day unless the criterium for that log is
based on the log’s size and logrotate is being run multiple times each
day....
"

If logrotate only runs once a day then the "rotate" directive will ensure the log gets rotated 99 times but combining it with "size" makes no sense as the log will be rotated anyway. OTOH if /var/log/messages fills that quickly that you need to rotate the log several times a day then "size" does work but it'll hit the "rotate" limit several times quicker than with a daily run. What's a 2MB size anyway these days?...

So if i am correct I should copy the /etc/cron.daily/logrotate script to /etc/cron.hourly ad the very minimum to get it to check the logs file sizes on an hourly basis.

Sure but it would be a waste to run logrotate on all logs so run something like 'logrotate /etc/logrotate.d/syslog' instead.

Ok maybe that explains this error i see in my email today..

/etc/cron.hourly/logrotate:

error: syslog:1 duplicate log entry for /var/log/messages
error: found error in /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron , skipping

So based on what you said above do I need to make 2 /etc/logrotate.conf files and edit out what I dont need?

What I am missing here. I dont see any entries for messages in this file.

Or do I need to move the messages file into a different dir??

re-read all this again

I think you mean this:

#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.d/messages <<<< changed this line...
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

Well i did as mentioned above but I am still getting the pesky emails... So I am sure something is missing. Have not had a change to get back to it until now.

Cron <root@myserver> run-parts /etc/cron.daily

/etc/cron.daily/logrotate:

error: syslog:1 duplicate log entry for /var/log/messages
error: found error in /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron , skipping


Here is my syslog.conf


etc]# cat syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#####*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.*;authpriv.*;cron.* /var/log/messages
*.info;mail.none;authpriv.none;cron.none @myserver99

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

got it worked out... Found my error. Had a typo