Quote:
Originally Posted by Doga Ozer
Hi all,
My question is quite general and not quite specific on which log files I'm pointing out to.
But does anybody know how I can determine the old .log.1 or .gz files that are listed in my /var/log directory?
I wanted to backup all of the log files onto a USB partition, but don't know if that's possible on Linux.
|
Backing up the log files won't (IMHO) do much good if you're never going to look at them.
Questions I would ask myself:
- How quickly will I be responding to incidents that appear in the log files?
- Do I even know what to look for in the log files?
If you only find the time to look at the log files on, say, the weekend, and respond to what they contain, you might want to configure logrotate to retain logs (compressed logs if you're not already compressing them) for 10-15 days. That would give you plenty of time to look through logs and deal with what you see in them. Once you get into a habit of looking at the logs, or you've established an automated means of looking through them and generating a report, you can cut down that retention period.
What to look for? Go through a few of the logs and see what looks suspicious: failed root logins and stuff like that. Start by cutting-n-paste some of the strings you see in the messages file and add them to a file named, say, "
suspicious_messages.txt" then you could create a short shell script to grep for those strings and email the results to be read. Something like:
Code:
$ sudo grep -f suspicious_messages.txt /var/log/messages | mailx -s "Interesting stuff in messages file" my-account-name
You could set this up in cron to run just before midnight to you get a summary of today's interesting events. (If sudo is always prompting you for a password, you will find it easier to run this command in root's crontab.) If you're worried about missing something important in the last minute or so of the day, you could schedule the command to be run just after midnight though this means a scheduling a simple command won't be as easy as you'll need to picked the correct, by then, compressed log file (see "
xz -dc", "
bzip2 -dc", etc. to get to the raw log file). Play around with:
Code:
$ date --date='yesterday' +%Y%m%d
and see how that might help you track down the correct compressed log file.
As I mentioned above, log files shouldn't be a cause for disk space problems. Unless your system is under a serious attack, the size of your log files shouldn't be excessively large. But... if disk space has become an issue, please:
Code:
df
sudo su - root -c "cd /; du -s * | sort -n
In both cases, post the results in code tags. The first command will give LQ folks a clue as to your disk/filesystem layout. The second will provide info regarding which directory tree is using the most disk space. (My guess would be NOT
/var.)
Cheers...