-
Title
Syslog-ng PE Guide to Logrotate -
Description
By default Syslog-ng comes with a customized logrotate configuration that rotates out the locally written logs. This configuration can be found at:
/etc/logrotate.d/opt-syslog-ng
This configuration can be modified to rotate customized file locations to save disk space when writing logs locally. -
Resolution
What is Logrotate?
Logrotate is a program that runs in Linux that rotates, compresses, and mails system logs. It can be used to save space and better organize files over a set time period.
Logrotate normally runs daily as a cronjob.
The default configuration within Syslog-ng PE is as follows:/var/log/messages { daily rotate 7 compress postrotate systemctl reload syslog-ng >/dev/null endscript }The options in this configuration are as follows:
/var/log/messages - is the location of the file to be rotated.daily - Log files are rotated once a day, every day.
rotate 7 - Files are rotated 7 times before being removed.compress - Older versions of the file are compressed using gzip.postrotate - The commands following this will run at the end of the rotation.systemctl reload syslog-ng >/dev/null - This command reloads Syslog-ng PE's configuration file to ensure that it writes to /var/log/messages once more and it sends its output to /dev/null to ensure a smooth reload.endscript - indicates the end of the configuration.
The default configuration can be modified and adjusted for customized local log destinations, and if using the server version of Syslog-ng PE, logrotate can be used to rotate file log destinations as well.
For more details and information please see the man pages for logrotate by running the following command on the Syslog-ng PE host:man logrotateDebugging Logrotate:
Logrotate can be run in debug mode using:logrotate -df /etc/logrotate.d/opt-syslog-ng*NOTE* - the above path "/etc/logrotate.d/opt-syslog-ng" can be replaced with the configuration file of choice.
When running Logrotate in debug mode files will not actually be rotated, however, logrotate will run verbosely showing via the console what would occur should logrotate run at that moment.
The following is an example of logrotate run in debug mode and a breakdown of what is occurring:-bash-4.2# logrotate -df /etc/logrotate.d/opt-syslog-ng reading config file /etc/logrotate.d/opt-syslog-ng #begins reading the configuration file Allocating hash table for state file, size 15360 B Handling 1 logs #informs how many logs are to be rotated rotating pattern: /var/log/messages #informs the pattern from the configuration which is to be rotated forced from command line (7 rotations) #informs that 7 rotations (or 7 days worth) of logs are kept empty log files are not rotated, old logs are removed considering log /var/log/messages #now considering the file in question log needs rotating #informs that the log needs rotating rotating log /var/log/messages, log->rotateCount is 7 #begins the rotation informing again that the rotate count is 7 dateext suffix '-20200707' #indicates what the date extension suffix is (placed by default at the tail of the file) glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' #shows the global pattern used for the date extension suffix renaming /var/log/messages to /var/log/messages-20200707 #informs what the newly named file is called running postrotate script #moves into postrotate where any commands are to be called running script with arg /var/log/messages #informs that there is a command to be run in postrotate : " systemctl reload syslog-ng >/dev/null #now runs the reload of Syslog-ng PE's configuration file " compressing log with: /bin/gzip #now compresses the rotated file and ending the rotation.*NOTE* - Syslog-ng PE will recreate the /var/log/messages file as long as create-dirs(yes) is called within either the destination statement or global options within the Syslog-ng PE configuration file (syslog-ng.conf).