LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Red Hat (https://www.linuxquestions.org/questions/red-hat-31/)
-   -   rsyslog logrotate default size 1.5g? (https://www.linuxquestions.org/questions/red-hat-31/rsyslog-logrotate-default-size-1-5g-4175546410/)

leniviy 06-25-2015 08:18 AM
rsyslog logrotate default size 1.5g?
 
Hi.

I don't understand where rotate size for /var/log/messages is configured. Thought it would be "size" in /etc/logrotate.d/syslog , but not.

Is 1.5G a default for logrotate?

Code:
[root@ec-prod-lb-2 ~]# ls -lh /var/log/messages*
-rw-------. 1 root root  39 Jun 25 16:08 /var/log/messages
-rw-------. 1 root root 1.4G Jun 14 03:26 /var/log/messages-20150614
-rw-------. 1 root root 1.5G Jun 21 03:18 /var/log/messages-20150621

[root@ec-prod-lb-2 ~]# df -h /var/
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda3      4.8G  3.3G  1.3G  72% /var


[root@ec-prod-lb-2 ~]# grep -Ri size /etc/rsyslog.* /etc/logrotate.*
/etc/logrotate.conf:    minsize 1M
/etc/logrotate.d/numad:    size 1M
/etc/logrotate.d/dracut:    size 30k
/etc/logrotate.d/mcelog:    size=+2048k


[root@ec-prod-lb-2 ~]# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 2

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
        minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.
[root@ec-prod-lb-2 ~]# cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}


[root@ec-prod-lb-2 ~]# cat /etc/rsyslog.conf
# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog  # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local0.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g  # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList  # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
user.info;authpriv.*;mail.none;cron.none        @syslog.okmarket.ru
#*.* @@remote-host:514
# ### end of the forwarding rule ###

MensaWater 06-25-2015 09:37 AM
/etc/logrotate.d is subsidiary to /etc/logrotate.conf itself. The "defaults" are defined in /etc/logroate.conf but can be overriden in the specific /etc/logroate.d file.

In RHEL /etc/cron.daily calls the logrotate each day but since the logroate.conf starts with "weekly" the files are usually only actually rotated once a week.

You can override time and size by adding them to /etc/logrotate.d/syslog. For example on our mail server we keep a month's worth of log at a time and keep them for a year so we modified the file to include "monthly" and "rotate 12". You could put size there if you wanted:
Code:
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    monthly
    rotate 12
    sharedscripts
    compress
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}


All times are GMT -5. The time now is 03:11 AM.