随着时间的推移,我注意到/var/log某些日志,如auth , kern和messages越来越大。 我为他们做了logrotate条目:
$ cat /etc/logrotate.d/auth.log /var/log/kern.log { rotate 5 daily } $ cat /etc/logrotate.d/kern.log /var/log/kern.log { rotate 5 daily } $ cat /etc/logrotate.d/messages /var/log/messages { rotate 5 daily postrotate /bin/killall -HUP syslogd endscript }
我也有compress选项启用:
$ grep compress /etc/logrotate.conf # uncomment this if you want your log files compressed compress
这对于auth.log , kern.log和其他工作非常kern.log ,这意味着每个日志都被压缩并旋转,保留最后5天的日志。 /var/log/messages但是没有被压缩,导致超过5天的日志:
$ ls /var/log/messages* /var/log/messages /var/log/messages-20100213 /var/log/messages-20100201 /var/log/messages-20100214 /var/log/messages-20100202 /var/log/messages-20100215 /var/log/messages-20100203 /var/log/messages-20100216 /var/log/messages-20100204 /var/log/messages-20100217 /var/log/messages-20100205 /var/log/messages-20100218 /var/log/messages-20100206 /var/log/messages-20100219 /var/log/messages-20100207 /var/log/messages-20100220 /var/log/messages-20100208 /var/log/messages-20100221 /var/log/messages-20100209 /var/log/messages-20100222 /var/log/messages-20100210 /var/log/messages-20100223 /var/log/messages-20100211 /var/log/messages-20100224 /var/log/messages-20100212
正如在ServerFault的另一个logrotate问题中所解释的那样,旧日志(很有可能)没有被删除,因为每个文件的文件结尾都是不同的。 这似乎是因为这些文件没有被压缩。
我可以做什么来保留/var/log/messages与最后5天的日志一样被压缩和旋转,就像我所有的其他日志文件一样? 我错过了什么?
编辑1 :根据第一对夫妇的答案要求的其他信息。
我正在运行Gentoo Linux。 我的/etc/logrotate.conf文件:
$ cat /etc/logrotate.conf # $Header: /var/cvsroot/gentoo-x86/app-admin/logrotate/files/logrotate.conf,v 1.3 2008/12/24 20:49:10 dang Exp $ # # Logrotate default configuration file for Gentoo Linux # # See "man logrotate" for details # rotate log files weekly weekly #daily # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # use date as a suffix of the rotated file dateext # uncomment this if you want your log files compressed compress # packages can drop log rotation information into this directory include /etc/logrotate.d notifempty nomail noolddir # no packages own lastlog or wtmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp rotate 1 } /var/log/btmp { missingok monthly create 0600 root utmp rotate 1 }
/etc/logrotate.d包含我上面提到的自定义configuration文件,以及由这些包安装的mysql,rsync等的configs。
我的根crontab是空的:
$ sudo crontab -l no crontab for root
我检查了所有/etc/cron.{daily,hourly,monthly,weekly}与syslog有关的任何东西,还有一个脚本可以使/var/log/syslog和/var/log/auth.log旋转。
接下来,我根据CarpeNoctem的build议创build了一个/var/log/messages -only logrotateconfiguration文件:
$ cat logrotate-messages weekly rotate 4 create dateext compress notifempty nomail noolddir /var/log/messages { rotate 5 daily postrotate /bin/killall -HUP syslogd endscript }
然后我手动运行logrotate :
$ logrotate -d logrotate-messages -f reading config file logrotate-messages reading config info for /var/log/messages Handling 1 logs rotating pattern: /var/log/messages forced from command line (5 rotations) empty log files are not rotated, old logs are removed considering log /var/log/messages log needs rotating rotating log /var/log/messages, log->rotateCount is 5 dateext suffix '-20100224' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' glob finding old rotated logs failed renaming /var/log/messages to /var/log/messages-20100224 creating new /var/log/messages mode = 0644 uid = 0 gid = 0 running postrotate script running script with arg /var/log/messages : " /bin/killall -HUP syslogd " compressing log with: /bin/gzip $ which gzip /bin/gzip $ file /bin/gzip /bin/gzip: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
根据上面的日志, logrotate使用/ bin / gzip压缩日志,但是在/var/log中看不到压缩的消息文件。 此外,旧的旋转的文件globbing失败。
编辑2 :添加一个.gz后缀到旧/var/log/message-*文件后添加logrotate运行的debugging输出。
我们从下面开始:
$ ls /var/log/messages* /var/log/messages /var/log/messages-20100222.gz /var/log/messages-20100219.gz /var/log/messages-20100223.gz /var/log/messages-20100220.gz /var/log/messages-20100224.gz /var/log/messages-20100221.gz
然后用我们的自定义configuration文件运行logrotate :
$ logrotate -d logrotate-messages -f reading config file logrotate-messages reading config info for /var/log/messages Handling 1 logs rotating pattern: /var/log/messages forced from command line (5 rotations) empty log files are not rotated, old logs are removed considering log /var/log/messages log needs rotating rotating log /var/log/messages, log->rotateCount is 5 dateext suffix '-20100224' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' removing /var/log/messages-20100219.gz removing old log /var/log/messages-20100219.gz destination /var/log/messages-20100224.gz already exists, skipping rotation
这一次, logrotate的glob成功,find第六个压缩的日志文件,打算删除它。 该文件实际上并没有被删除; 我想这是因为我们在debugging模式下运行。
我很好奇启用/var/log/messages的delaycompress选项是否有帮助。 我启用它,并会在第二天早上检查结果。
添加delaycompress到/var/log/messages的configuration部分解决了这个问题。
从man logrotate :
delaycompress Postpone compression of the previous log file to the next rota‐ tion cycle. This only has effect when used in combination with compress. It can be used when some program cannot be told to close its logfile and thus might continue writing to the previ‐ ous log file for some time.
我猜sysklogd ,我的系统日志守护进程,不能告诉closures它的日志文件,因此这是必要的。
有趣的是,原来的configuration(没有delaycompress指令),直接从man logrotate (除了weekly更改为daily ):
# sample logrotate configuration file compress /var/log/messages { rotate 5 weekly postrotate /usr/bin/killall -HUP syslogd endscript }
只有这个信息很难说,但我可以告诉你什么救了我几次。
Logrotate有一个debugging选项,将打印标准输出每一步的播放。 所以在这种情况下,你可以这样做:
logrotate -d /etc/logrotate.conf
输出会告诉你到底发生了什么。 另外,如果你想缩小debugging输出你可以做的
logrotate -d /etc/logrotate.d/messages
虽然您可能需要暂时将主要的logrotate.conf选项放在该文件块中,因为直接指定文件意味着它永远不会读取主要的configuration选项。 指定单个文件还意味着可以将-f (强制)选项与debugging选项结合使用,以查看发生的消息文件的实际旋转情况。
考虑在你的logrotate.conf中尝试这个设置:
dateformat .%Y%m%d
并重命名您现有的消息文件使用点而不是短划线。 然后再次尝试你的logrotate。
下面的线索让我相信,如果某种意义上被解释为一个选项(在哪里可以解决这个问题),破折号可能会导致全局失败。 这没有意义,但它可能是可能的。
dateext suffix '-20100224' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' glob finding old rotated logs failed