Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So it seems that my server isn't rotating logs like it should. I can confirm this as the logs ending with .[x] where [x] is a number usually 1 - 4 are all months old according to the time stamp and the main log file without any .[x] appended to it is rather large. I only noticed this because I have my messages log emailed to me daily using a script
Code:
less /var/log/messages | grep "$(date --date="yesterday" '+%b %e')" | mail -s "title of email" my@email.address
However, since I installed this script a year ago, I'm starting to see logs from last August show up in today's emails; so I began looking.
I know logrotate is what handles log rotation, but how can I check to see why it's stopped working for whatever reason?
I ran this command, as I figured it would shed some light on it but it doesn't seem to be helping.
/usr/sbin/logrotate -vf /etc/logrotate.conf
This is the output of the above command.
Code:
reading config file /etc/logrotate.conf
including /etc/logrotate.d
reading config file acpid
reading config info for /var/log/acpid
reading config file conman
reading config info for /var/log/conman/*
olddir is now /var/log/conman.old/
reading config file cups
reading config info for /var/log/cups/*_log
reading config file exim
reading config info for /var/log/exim_mainlog
reading config info for /var/log/exim_paniclog
reading config info for /var/log/exim_rejectlog
reading config file httpd
reading config info for /var/log/httpd/*log
reading config file mgetty
reading config info for /var/log/mgetty.log.tty[^.] /var/log/mgetty.log.tty[^.][^.] /var/log/mgetty.log.tty[^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.unknown /var/log/mgetty.callback
reading config file mysql
reading config info for /var/lib/mysql/mysqld.log
reading config file named
reading config info for /var/log/named.log
reading config file ppp
reading config info for /var/log/ppp/connect-errors
reading config file psacct
reading config info for /var/account/pacct
reading config file rpm
reading config info for /var/log/rpmpkgs
reading config file sa-update
reading config info for /var/log/sa-update.log
reading config file samba
reading config info for /var/log/samba/*.log
reading config file setroubleshoot
reading config info for /var/log/setroubleshoot/*.log
reading config file snort
error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log
Not sure what most of that means, but whatever. Where do I start?
So it seems that my server isn't rotating logs like it should. I can confirm this as the logs ending with .[x] where [x] is a number usually 1 - 4 are all months old according to the time stamp and the main log file without any .[x] appended to it is rather large. I only noticed this because I have my messages log emailed to me daily using a script
Code:
less /var/log/messages | grep "$(date --date="yesterday" '+%b %e')" | mail -s "title of email" my@email.address
However, since I installed this script a year ago, I'm starting to see logs from last August show up in today's emails; so I began looking.
I know logrotate is what handles log rotation, but how can I check to see why it's stopped working for whatever reason?
I ran this command, as I figured it would shed some light on it but it doesn't seem to be helping.
/usr/sbin/logrotate -vf /etc/logrotate.conf
This is the output of the above command.
Code:
reading config file /etc/logrotate.conf
including /etc/logrotate.d
reading config file acpid
reading config info for /var/log/acpid
reading config file conman
reading config info for /var/log/conman/*
olddir is now /var/log/conman.old/
reading config file cups
reading config info for /var/log/cups/*_log
reading config file exim
reading config info for /var/log/exim_mainlog
reading config info for /var/log/exim_paniclog
reading config info for /var/log/exim_rejectlog
reading config file httpd
reading config info for /var/log/httpd/*log
reading config file mgetty
reading config info for /var/log/mgetty.log.tty[^.] /var/log/mgetty.log.tty[^.][^.] /var/log/mgetty.log.tty[^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.tty[^.][^.][^.][^.][^.][^.][^.][^.][^.][^.] /var/log/mgetty.log.unknown /var/log/mgetty.callback
reading config file mysql
reading config info for /var/lib/mysql/mysqld.log
reading config file named
reading config info for /var/log/named.log
reading config file ppp
reading config info for /var/log/ppp/connect-errors
reading config file psacct
reading config info for /var/account/pacct
reading config file rpm
reading config info for /var/log/rpmpkgs
reading config file sa-update
reading config info for /var/log/sa-update.log
reading config file samba
reading config info for /var/log/samba/*.log
reading config file setroubleshoot
reading config info for /var/log/setroubleshoot/*.log
reading config file snort
error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log
Not sure what most of that means, but whatever. Where do I start?
Best place to start is by running in debug mode
Code:
logrotate -v -d /path/to/logrotate.conf
from what you have pasted, looks like a config problem with the snort log directory, and so the whole process is failing.
Run again in debug mode and paste the output...or fix the error on line 4 of the snort config file.
Code:
error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
IIRC if in the logrotate process one of the logrotates fail (that is a file to rotate does not exist) all following commands are not executed. You would have this when you stopp logging with a certain program and delete old log files. That is a bit unexpected, as one would not consider that an error. Still logrotate does and ceases execution.
Well I think log rotation has resumed. I will keep an eye on it for the next few days, then see about getting snort back in the mix. For the record, here is the snort config file.
/var/log/snort/*/alert (their are no directories in /snort)
/var/log/snort/*/*log (their are no directories in /snort)
So I think if I change it to
/var/log/snort/*log* (Some files do have log as an extension, but behind it is a series of numbers [guessing its a time stamp])
/var/log/snort/alert* (This should gather all the files that are alert.{series of numbers})
delete this bit of code, as it wont catch anything that the /var/log/snort/*log* doesn't already catch.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
I think you are creating problems with using *log* as files will get rotated and re-rotated. Check the man page (there is a paragraph on this) and refer to the olddir directive.
You redirection into a file to trace the error created a blank file because these error messages appear on stderr, not stdout.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.