LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Ubuntu (https://www.linuxquestions.org/questions/ubuntu-63/)
-   -   How to increase size of syslog in /var/log before it rotates and how to alter the rotation schedule ? (https://www.linuxquestions.org/questions/ubuntu-63/how-to-increase-size-of-syslog-in-var-log-before-it-rotates-and-how-to-alter-the-rotation-schedule-4175629805/)

tuxthegreat 05-16-2018 04:41 AM
How to increase size of syslog in /var/log before it rotates and how to alter the rotation schedule ?
 
I am on Ubuntu 16.04.4 LTS and my syslog never seems to go past 1MB before it rotates and goes into syslog.1 and logs there. I've tried to alter the conf file like so
Code:
cat /etc/logrotate.d/rsyslog
/var/log/syslog
{
        rotate 7
        size=50M
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                invoke-rc.d rsyslog rotate >/dev/null
        endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/rsyslog.log
/var/log/debug
/var/log/messages
{
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                invoke-rc.d rsyslog rotate >/dev/null
        endscript
}
As you can see I added the *size=50M* hoping it would take, but no go, are there any other places were I can configure it to fill up more than 1 MB? And second portion of question, I see a bunch of .gz files like so
Code:
syslog.1 syslog.2.gz syslog.3.gz syslog.4.gz syslog.5.gz syslog.6.gz syslog.7.gz
I have read somewhere that I could modify this file to get rid of the .1.gz, .2.gz etc etc#compress Would this config work?
Code:
cat /etc/logrotate.d/rsyslog
/var/log/syslog
{
        rotate 7
        size=50M
        daily
        missingok
        notifempty
        delaycompress
        #compress
        postrotate
                invoke-rc.d rsyslog rotate >/dev/null
        endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/rsyslog.log
/var/log/debug
/var/log/messages
{
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                invoke-rc.d rsyslog rotate >/dev/null
        endscript
}
And to finish it off ,what if I got rid of the daily rotation all together and kept it only weekly *rotate 4*, would that cause a massive buildup of logs to the point of overwhelming my SSD ?

Honest Abe 05-16-2018 05:12 AM
so if your final setting is this-
Code:
/var/log/syslog
{
        rotate 7
        size=50M
        daily
        missingok
        notifempty
        delaycompress
        #compress
        postrotate
                invoke-rc.d rsyslog rotate >/dev/null
        endscript
}
if we go through the directives linewise -
1.It basically means rotate and keep 7 files (so 7 rotations before a syslog file gets deleted).
2.Rotate Only if the size grows bigger than 50M
3. Here comes a conflict. Rotate daily. So what happens if your logs do not reach 50M in a day ?
4.if the a log is missing, don't fret and rotate the next file.
5. Dont rotate if the logfile is of 0 size.
6. postpones compression of previous log to the next cycle. [which is why you see syslog.1 and syslog.2.gz]
7. #6 only works when you enable compression. you have commented compress out.
8. postrotate/endscript -> execute this command between these directives.

I suggest using either of #3 or #4, whatever you prefer. Log rotation based on size OR log rotation based on time.

Quote:
And to finish it off ,what if I got rid of the daily rotation all together and kept it only weekly *rotate 4*, would that cause a massive buildup of logs to the point of overwhelming my SSD ?
"weekly" and "rotate 4" would mean "keep log files weekly rotated for a month.". You have to gauge how much size that would be and if you'd like to use compression on or off. Again, take into account the difference between rotating logs on basis of size or basis of a specific time gap.

Further reading - here.
Also, after modifying your settings, do a dry run with verbosity. [#logrotate -d -v]
Hope it helps.

tuxthegreat 05-16-2018 05:30 AM
I noticed in your steps, step #4 (the missing log ) and step #5
Quote:
5. Dont rotate if the logfile is of 0 size.
This happens quite often actually, the syslog is 0 and everything gets thrown into syslog.1 and it continues to log to syslog.1 until the next rotation, and still it stays with syslog.1. This is rather frustrating. Only a service rsyslog restart amends this issue. I haven't commented out # the compress just yet, it was only an idea I was considering doing, as it stands I only have the size=50M bit added to that config file. Also 50M was just a random number I picked, it might as well be 10M or 5M, they don't get all that long, just enough space so that 1 24hour period can be logged in one go.

Additional information perhaps can help diagnose this issue, I noticed these errors
Quote:
May 16 systemd[1]: [/lib/systemd/system/rsyslog.service:19] Unknown lvalue 'LimitNOFILE' in section 'Install'
May 16 systemd[1]: Started ACPI event daemon.
May 16 systemd[1]: Reloading.
May 16 systemd[1]: [/lib/systemd/system/rsyslog.service:19] Unknown lvalue 'LimitNOFILE' in section 'Install'
May 16 systemd[1]: Started ACPI event daemon.
May 16 systemd[1]: Reloading.
May 16 systemd[1]: [/lib/systemd/system/rsyslog.service:19] Unknown lvalue 'LimitNOFILE' in section 'Install'
May 16 systemd[1]: Started ACPI event daemon.
May 16 systemd[1]: Reloading.
May 16 systemd[1]: [/lib/systemd/system/rsyslog.service:19] Unknown lvalue 'LimitNOFILE' in section 'Install'
I took a peek inside
Quote:
cat /lib/systemd/system/rsyslog.service
and I found this inside
Quote:
[Unit]
Description=System Logging Service
Requires=syslog.socket
Documentation=man:rsyslogd(8)
Documentation=http://www.rsyslog.com/doc/

[Service]
Type=notify
ExecStart=/usr/sbin/rsyslogd -n -iNONE
StandardOutput=null
Restart=on-failure

[Install]
WantedBy=multi-user.target
Alias=syslog.service

# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
LimitNOFILE=16384

Honest Abe 05-16-2018 06:23 AM
Quote:
This happens quite often actually, the syslog is 0 and everything gets thrown into syslog.1 and it continues to log to syslog.1 until the next rotation, and still it stays with syslog.1.
Looks like you need copytruncate for this.
Either that, or put something like this inside the postrotate/endscript

Code:
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
Please test and report how it plays out.

Honest Abe 05-16-2018 06:34 AM
as to the error with 'LimitNOFILE=16384', I have no idea. Maybe somebody else can pick it up and assist.

tuxthegreat 05-16-2018 06:43 AM
Quote:
Originally Posted by Honest Abe (Post 5855407)
Looks like you need copytruncate for this.
Either that, or put something like this inside the postrotate/endscript

Code:
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
Please test and report how it plays out.
I took a look around in /var/run and there isn't any syslogd.pid or rsyslogd.pid files
Quote:
cat /var/run/syslogd.pid
cat: /var/run/syslogd.pid: No such file or directory

Honest Abe 05-16-2018 07:19 AM
Sorry mate, this was from a CentOS 6 VM. A quick web search should point you to relevant place in your Ubuntu setup.

Honest Abe 05-16-2018 11:17 AM
if ubuntu supports the 'pidof' command, then you can possibly use that as well.

Code:
[anirban@AB-Cent7OS ~]$ sudo cat /var/run/syslogd.pid
1429
[anirban@AB-Cent7OS ~]$ sudo pidof rsyslogd
1429


All times are GMT -5. The time now is 09:44 PM.