LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Ubuntu
User Name
Password
Ubuntu This forum is for the discussion of Ubuntu Linux.

Notices


Reply
  Search this Thread
Old 05-16-2018, 04:41 AM   #1
tuxthegreat
Member
 
Registered: Mar 2018
Posts: 32

Rep: Reputation: Disabled
How to increase size of syslog in /var/log before it rotates and how to alter the rotation schedule ?


I am on Ubuntu 16.04.4 LTS and my syslog never seems to go past 1MB before it rotates and goes into syslog.1 and logs there. I've tried to alter the conf file like so
Code:
cat /etc/logrotate.d/rsyslog
/var/log/syslog
{
	rotate 7
        size=50M
	daily
	missingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog rotate >/dev/null
	endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/rsyslog.log
/var/log/debug
/var/log/messages
{
	rotate 4
	weekly
	missingok
	notifempty
	compress
	delaycompress
	sharedscripts
	postrotate
		invoke-rc.d rsyslog rotate >/dev/null
	endscript
}
As you can see I added the *size=50M* hoping it would take, but no go, are there any other places were I can configure it to fill up more than 1 MB? And second portion of question, I see a bunch of .gz files like so
Code:
syslog.1 syslog.2.gz syslog.3.gz syslog.4.gz syslog.5.gz syslog.6.gz syslog.7.gz
I have read somewhere that I could modify this file to get rid of the .1.gz, .2.gz etc etc#compress Would this config work?
Code:
cat /etc/logrotate.d/rsyslog
/var/log/syslog
{
	rotate 7
        size=50M
	daily
	missingok
	notifempty
	delaycompress
	#compress
	postrotate
		invoke-rc.d rsyslog rotate >/dev/null
	endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/rsyslog.log
/var/log/debug
/var/log/messages
{
	rotate 4
	weekly
	missingok
	notifempty
	compress
	delaycompress
	sharedscripts
	postrotate
		invoke-rc.d rsyslog rotate >/dev/null
	endscript
}
And to finish it off ,what if I got rid of the daily rotation all together and kept it only weekly *rotate 4*, would that cause a massive buildup of logs to the point of overwhelming my SSD ?

Last edited by tuxthegreat; 05-16-2018 at 05:07 AM.
 
Old 05-16-2018, 05:12 AM   #2
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 122
Blog Entries: 1

Rep: Reputation: 53
so if your final setting is this-
Code:
/var/log/syslog
{
	rotate 7
        size=50M
	daily
	missingok
	notifempty
	delaycompress
	#compress
	postrotate
		invoke-rc.d rsyslog rotate >/dev/null
	endscript
}
if we go through the directives linewise -
1.It basically means rotate and keep 7 files (so 7 rotations before a syslog file gets deleted).
2.Rotate Only if the size grows bigger than 50M
3. Here comes a conflict. Rotate daily. So what happens if your logs do not reach 50M in a day ?
4.if the a log is missing, don't fret and rotate the next file.
5. Dont rotate if the logfile is of 0 size.
6. postpones compression of previous log to the next cycle. [which is why you see syslog.1 and syslog.2.gz]
7. #6 only works when you enable compression. you have commented compress out.
8. postrotate/endscript -> execute this command between these directives.

I suggest using either of #3 or #4, whatever you prefer. Log rotation based on size OR log rotation based on time.

Quote:
And to finish it off ,what if I got rid of the daily rotation all together and kept it only weekly *rotate 4*, would that cause a massive buildup of logs to the point of overwhelming my SSD ?
"weekly" and "rotate 4" would mean "keep log files weekly rotated for a month.". You have to gauge how much size that would be and if you'd like to use compression on or off. Again, take into account the difference between rotating logs on basis of size or basis of a specific time gap.

Further reading - here.
Also, after modifying your settings, do a dry run with verbosity. [#logrotate -d -v]
Hope it helps.
 
Old 05-16-2018, 05:30 AM   #3
tuxthegreat
Member
 
Registered: Mar 2018
Posts: 32

Original Poster
Rep: Reputation: Disabled
I noticed in your steps, step #4 (the missing log ) and step #5
Quote:
5. Dont rotate if the logfile is of 0 size.
This happens quite often actually, the syslog is 0 and everything gets thrown into syslog.1 and it continues to log to syslog.1 until the next rotation, and still it stays with syslog.1. This is rather frustrating. Only a service rsyslog restart amends this issue. I haven't commented out # the compress just yet, it was only an idea I was considering doing, as it stands I only have the size=50M bit added to that config file. Also 50M was just a random number I picked, it might as well be 10M or 5M, they don't get all that long, just enough space so that 1 24hour period can be logged in one go.

Additional information perhaps can help diagnose this issue, I noticed these errors
Quote:
May 16 systemd[1]: [/lib/systemd/system/rsyslog.service:19] Unknown lvalue 'LimitNOFILE' in section 'Install'
May 16 systemd[1]: Started ACPI event daemon.
May 16 systemd[1]: Reloading.
May 16 systemd[1]: [/lib/systemd/system/rsyslog.service:19] Unknown lvalue 'LimitNOFILE' in section 'Install'
May 16 systemd[1]: Started ACPI event daemon.
May 16 systemd[1]: Reloading.
May 16 systemd[1]: [/lib/systemd/system/rsyslog.service:19] Unknown lvalue 'LimitNOFILE' in section 'Install'
May 16 systemd[1]: Started ACPI event daemon.
May 16 systemd[1]: Reloading.
May 16 systemd[1]: [/lib/systemd/system/rsyslog.service:19] Unknown lvalue 'LimitNOFILE' in section 'Install'
I took a peek inside
Quote:
cat /lib/systemd/system/rsyslog.service
and I found this inside
Quote:
[Unit]
Description=System Logging Service
Requires=syslog.socket
Documentation=man:rsyslogd(8)
Documentation=http://www.rsyslog.com/doc/

[Service]
Type=notify
ExecStart=/usr/sbin/rsyslogd -n -iNONE
StandardOutput=null
Restart=on-failure

[Install]
WantedBy=multi-user.target
Alias=syslog.service

# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
LimitNOFILE=16384

Last edited by tuxthegreat; 05-16-2018 at 06:19 AM.
 
Old 05-16-2018, 06:23 AM   #4
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 122
Blog Entries: 1

Rep: Reputation: 53
Quote:
This happens quite often actually, the syslog is 0 and everything gets thrown into syslog.1 and it continues to log to syslog.1 until the next rotation, and still it stays with syslog.1.
Looks like you need copytruncate for this.
Either that, or put something like this inside the postrotate/endscript

Code:
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
Please test and report how it plays out.

Last edited by Honest Abe; 05-16-2018 at 06:29 AM. Reason: added rsyslogd
 
Old 05-16-2018, 06:34 AM   #5
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 122
Blog Entries: 1

Rep: Reputation: 53
as to the error with 'LimitNOFILE=16384', I have no idea. Maybe somebody else can pick it up and assist.
 
Old 05-16-2018, 06:43 AM   #6
tuxthegreat
Member
 
Registered: Mar 2018
Posts: 32

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Honest Abe View Post
Looks like you need copytruncate for this.
Either that, or put something like this inside the postrotate/endscript

Code:
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
Please test and report how it plays out.
I took a look around in /var/run and there isn't any syslogd.pid or rsyslogd.pid files
Quote:
cat /var/run/syslogd.pid
cat: /var/run/syslogd.pid: No such file or directory
 
Old 05-16-2018, 07:19 AM   #7
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 122
Blog Entries: 1

Rep: Reputation: 53
Sorry mate, this was from a CentOS 6 VM. A quick web search should point you to relevant place in your Ubuntu setup.
 
Old 05-16-2018, 11:17 AM   #8
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 122
Blog Entries: 1

Rep: Reputation: 53
if ubuntu supports the 'pidof' command, then you can possibly use that as well.

Code:
[anirban@AB-Cent7OS ~]$ sudo cat /var/run/syslogd.pid
1429
[anirban@AB-Cent7OS ~]$ sudo pidof rsyslogd
1429
 
  


Reply

Tags
logrotate, rsyslogd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Remote Logging With Syslog, Part 4: Log Rotation LXer Syndicated Linux News 0 12-21-2016 03:51 AM
[SOLVED] Default rotation of logins log (/var/log/wmtp) gacanepa Linux - Newbie 2 10-01-2013 06:59 PM
Syslog-ng messages.log log rotation Iyyappan Linux - Server 3 09-16-2012 11:10 AM
[SOLVED] No /var/log/messages , syslog , kern.log -but cat /var/spool/octopussy/octo_fifo masuch Linux - Newbie 4 06-13-2012 08:05 PM
How to change Debian log rotation of syslog and daemon.log onmountain Linux - Newbie 2 07-31-2008 02:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Ubuntu

All times are GMT -5. The time now is 01:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration