Practical Tips: Use Logrotate to manage system logs

Source: Internet
Author: User
Tags syslog

For Linux system security, log files are extremely important tools. The system administrator can use the logrotate program to manage the latest events in the system. Logrotate can also be used to back up log files. This article will introduce the following parts...

Log File Management:

1. logrotate Configuration
2. logrotate is configured by default.
3. Use the include option to read other configuration files
4. Use the include option to overwrite the default configuration
5. Configure dump parameters for the specified file

1. logrotate Configuration

The logrotate program is a log file management tool. It is used to delete the old log file and create a new log file. We call it a "dump ". We can dump the logs based on the log file size or the number of days. This process is generally executed by the cron program.

The logrotate program can also be used to compress log files and send logs to the specified email.

The logrotate configuration file is/etc/logrotate. conf. The main parameters are as follows:

Parameter Functions

Compress compresses logs after dumping through gzip
This parameter is used when nocompress does not require compression.
Copytruncate is used to back up and truncate the current log file that is still being opened.
Nocopytruncate backs up log files but does not truncate
Create mode owner group dump file, create a new log file using the specified file mode
Nocreate does not create a new Log File
When delaycompress and compress are used together, the dumped log files are compressed only when they are transferred to the next dump.
Nodelaycompress overwrites the delaycompress option, and the dump is compressed at the same time.
The error message sent to the specified Email address when the errors address exists
Ifempty dumps even empty files. This is the default logrotate option.
Notifempty is not dumped if it is an empty file
Mail address sends the dumped log file to the specified E-mail address
Do not send log files when nomail dump
The log file after the olddir directory is dumped is placed in the specified directory and must be in the same file system as the current log file.
The log file after noolddir dumping and the current log file are placed in the same directory
Prerotate/endscript can put this pair of commands that need to be executed before dumping. These two keywords must be in a separate line.
Postrotate/endscript can be placed into this pair of commands to be executed after the dump. These two keywords must be entered separately.
Daily indicates that the dump cycle is daily.
Weekly indicates that the dump cycle is weekly.
Monthly specifies the dump cycle as per month
Rotate count indicates the number of dump times before the log file is deleted. 0 indicates no backup, and 5 indicates five backups are retained.
Tabootext [+] list to prevent logrotate from dumping files with the specified extension. The default extension is. rpm-orig,. rpmsave, v, and ~
Size: dump a log file only when it reaches the specified Size. size can specify bytes (default), KB (sizek), or MB (sizem ).

2. logrotate is configured by default.

What is the default configuration of logrotate? /Etc/logrotate. conf.

The default installation file content of Red Hat Linux is:

# See "man logrotate" for details
# Rotate log files weekly
Weekly
# Keep 4 weeks worth of backlogs
Rotate 4
# Send errors to root
Errors root
# Create new (empty) log files after rotating old ones
Create
# Uncomment this if you want your log files compressed
# Compress
1
# RPM packages drop log rotation information into this directory
Include/etc/logrotate. d
# No packages own lastlog or wtmp -- we'll rotate them here
/Var/log/wtmp {
Monthly
Create 0664 root utmp
Rotate 1
}
/Var/log/lastlog {
Monthly
Rotate 1
}
# System-specific logs may be configured here

The default configuration is generally placed at the beginning of the logrotate. conf file, affecting the entire system. In this example, the first 12 rows are displayed.

Row 3
Weekly specifies that all log files are dumped once a week.

Fifth line
Rotate 4 specifies four copies of the dump.

Row 7
Errors root specifies the error message to be sent to the root user.

Row 9
Create specifies that logrotate automatically creates a new log file. The new log file has the same permissions as the original file.

Row 11th # compress specifies not to compress the dump file. If compression is required, remove the comment.

3. Use the include option to read other configuration files

The include option allows the system administrator to centralize the dump information distributed to several files

Main configuration file. When logrotate reads the include option from logrotate. conf, it reads the configuration information from the specified file, as if they are already in/etc/logrotate. conf.

Row 3: include/etc/logrotate. d. Tell logrotate to read data in/etc/logrotate. d directory. When the RPM package is installed in the system, the include option is very useful. The log dump parameters of the RPM package are generally stored in the/etc/logrotate. d directory.

The include option is very important. Some applications store the log dump parameter in/etc/logrotate. d.

Typical applications include apache, linuxconf, samba, cron, and syslog.

In this way, the system administrator only needs to manage a/etc/logrotate. conf file.

4. Use the include option to overwrite the default configuration

When/etc/logrotate. conf reads a file, the dump parameter in the file specified by include will overwrite the default parameter, as shown in the following example:

# Linuxconf Parameters
/Var/log/htmlaccess. log
{Errors jim
Notifempty
Nocompress
Weekly
Prerotate
/Usr/bin/chattr-a/var/log/htmlaccess. log
Endscript
Postrotate
/Usr/bin/chattr + a/var/log/htmlaccess. log
Endscript
}
/Var/log/netconf. log
{Nocompress
Monthly
}

In this example, when the/etc/logrotate. d/linuxconf file is read, the following parameters will overwrite the default parameters in/etc/logrotate. conf.

Notifempty
Errors jim

5. Configure dump parameters for the specified file

You often need to configure parameters for the specified file. A common example is to dump/var/log/wtmp every month. The parameter format used for a specific file is:

# Note
/Full/path/to/file
{
Option (s)
}
The following example is a monthly dump of/var/log/wtmp:
# Use logrotate to rotate wtmp
/Var/log/wtmp
{
Monthly
Rotate 1
}

Vi. Other issues needing attention

1. Although the beginning of the curly braces can be placed on the same line as other texts, the curly braces at the end must be arranged separately.

2. Use the prerotate and postrotate options

The following is a typical script/etc/logrotate. d/syslog.

/Var/log/messages is valid.
/Var/log/messages
{
Prerotate
/Usr/bin/chattr-a/var/log/messages
Endscript
Postrotate
/Usr/bin/kill-HUP syslogd
/Usr/bin/chattr + a/var/log/messages
Endscript
}

The first line specifies that the script is valid for/var/log messages

/Var/log/messages

The prerotate command specifies the previous Dumping Action/usr/bin/chattr-a to remove the "only append" attribute of the/var/log/messages file. The endscript end the prerotate part of the script postrotate specifies action

/Usr/bin/killall-HUP syslogd

Used to reinitialize the system log daemon syslogd

/Usr/bin/chattr + a/var/log/messages

Specify the "APPEND only" attribute for the/var/log/messages file to prevent programmers or users from overwriting the file.

The final endscript is used to end the postrotate part.

3. logrotate is run in three steps:

Determine the System Log File, establish the dump plan and parameters, and run the following code through cron daemon: Red Hat Linux default crontab to run logrotate every day.

#/Etc/cron. daily/logrotate
#! /Bin/sh
/Usr/sbin/logrotate/etc/logrotate. conf

4./var/log/messages:

This is rare, but if you disable port 514/UDP in/etc/services, this file will not be generated.

Summary: This article introduces the typical logrotate configuration example on the Red Hat system, and details the application method of the logrotate program. We hope to help all Linux system administrators. Good Management and Analysis of log files are the first step in system security. In future articles, FreeLAMP will introduce another good logcheck for checking logs.

Related Articles]

  • Configure DNS server logs in Linux
  • Firewall log wizard of the system administrator
  • Adjust the size of the log audit file

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.