Extend logrotate for additional log files

The Linux operating system consists of many different components. Many of them log their activity directly or indirectly into log files. Over time those log files grow and would eventually fill up the disk if there wasn’t a utility like logrotate. With logrotate in place, the log files are rotated to avoid them filling up the disk. When new programs are installed, it might be necessary to extend the logrotate configuration to include the new log files.

Most, if not all, modern Linux distributions come pre-configured with logrotate. Logrotate is an important little utility. It is started via cron at regular intervals to check for log files to be rotated. As simple as it sounds, logrotate provides a lot of control over the generated log files.

Advertisements

Installing a modern distribution will also install logrotate with a default set of rules to rotate all the log files generated by the Linux distribution. The configuration differs from distribution to distribution due to different log file names or their location. In the following, most of the configuration items will show RHEL/CentOS related directory and filename information.

The logrotate configuration

Logrotate is called via cron and requires at least one argument, the config file. In most distributions this configuration file can be found as “/etc/logrotate.conf“. This configuration file contains the general configuration of the logrotate utility.

$ cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
	minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

The configuration of logrotate contains a few types of configuration items which I like to group like this.

Interval – Settings which define how often or when a log-file should be rotated. This can be time and size based. Settings like “daily”, “weekly” or “monthly” define a time interval in which the log-file should be rotated. A setting like “minsize 1M” defines a minimum size for the log file before logrotate will rotate it during the time interval of “daily” for example. While “minsize” is an additional option to the time interval, the “size” option is an alternative to it. It will rotate the log-file on the next log-rotate run when the file has reached a certain size independent of any time interval.

Rotate method – Allows controlling how the rotation is performed. The “copytruncate” option will first create a copy of the file and then truncate the actual log file allowing the daemon to continue to log without the need of being notified about the rotation.

Log handling – These are settings which define how logrotate should handle the rotated logs. “rotate 4” defines for example to keep 4 old rotated log files before they are deleted. The “dateext” will add the date to the file name while rotating it.

Post processing – is a group of settings which define what happens after the rotation of the log file. Should it be compressed (“compress” setting) which can be done immediately or delayed (“delaycompress” setting) should a new log-file be created (“create” setting). And of course the “postrotate” script is an important step to notify the daemon logging to the file about the rotation of its log files.

Of course there are also some other settings controlling other aspects of logrotate as well like “missingok” allowing logrotate to continue without an error if the described file is missing. The “include” option allows you to structure the settings by including more configuration files.

It has become good practice to provide a daemon’s logrotate configuration via the package (rpm, deb, …) in a separate file and store it in the included path. This way each program can provide its own logrotate configuration in a clean way.

Of course there are more possible settings then shown in the example. To get a full list of settings and their options, check the logrotate(8) man page.

Add logrotate configuration

The following example shows how to add two additional log files to logrotate. The file list also allows the use of patterns to match the log files. For details on this, check the logrotate(8) man page.

/var/log/some.log /var/log/daemon/daemon.log {
    missingok
    daily
    dateext
    compress
    nodelaycompress
    nocreate
    rotate 4
    sharedscripts
    postrotate
        /etc/init.d/daemon restart || true
    endscript
}

The above configuration should be stored in the included “/etc/logrotate.d” directory in a file usually named after the program / daemon writing the log-files.

Logrotate will check for the two listed log-files and, will not fail with an error if one or both of the files are missing (missingok). The files will be rotated “daily”, will be compressed (compress) instantly (nodelaycompress) and 4 rotated log-files will be kept before they are deleted. The “nocreate” instructs logrotate to not create a new logfile after rotating it away.

The postrotate section between the “postrotate” and the “endscript” is a shell script which will be executed for each rotated log-file. The “sharedscript” is used to trigger the post rotate script only once for all the log-files listed in this section.

In the above example, the postrotate section restarts the daemon to trigger the log-files to be reopened by the daemon.

There is more

Beyond this introduction are even more settings in logrotate which allow you to control even more features. Including features like shredding log-files instead of simply deleting them, sending logs via email, more time intervals, exclude lists for file extensions, and more. The logrotate(8) man page explains them all in detail.

Testing the configuration

As always when the configuration is changed, the changes should be tested to make sure no unexpected behavior will arise caused by a typo or any other mistake. To do this, execute the following command.

$ logrotate -d /etc/logrotate.conf 
reading config file /etc/logrotate.conf
including /etc/logrotate.d
reading config file dracut
reading config info for /var/log/dracut.log 
reading config file syslog
reading config info for /var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler

reading config file yum
reading config info for /var/log/yum.log 
reading config info for /var/log/wtmp 
reading config info for /var/log/btmp 

Handling 9 logs

rotating pattern: /var/log/dracut.log  1048576 bytes (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/dracut.log
  log does not need rotating

rotating pattern: /var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
 weekly (4 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/cron
  log does not need rotating
considering log /var/log/maillog
  log does not need rotating
considering log /var/log/messages
  log does not need rotating
considering log /var/log/secure
  log does not need rotating
considering log /var/log/spooler
  log does not need rotating
not running postrotate script, since no logs were rotated

rotating pattern: /var/log/yum.log  yearly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/yum.log
  log does not need rotating

rotating pattern: /var/log/wtmp  monthly (1 rotations)
empty log files are rotated, only log files >= 1048576 bytes are rotated, old logs are removed
considering log /var/log/wtmp
  log does not need rotating

rotating pattern: /var/log/btmp  monthly (1 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/btmp
  log does not need rotating

The above is an example of a logrotate run with the “-d” option, which enables debug mode. In this mode logrotate will read all configuration and check all log files. Logrotate will report all details (implicitly -v option) but will not actually rotate any log files. This allows you to check the configuration for syntax errors as well as checking its behavior with the newly added configuration.


Read more of my posts on my blog at https://blog.tinned-software.net/.

This entry was posted in Linux Administration and tagged , . Bookmark the permalink.