随着时间的推移,我注意到一些日志(/var/log例如和auth)变得越来越大。我为它们做了一些记录:kernmessageslogrotate
$ cat /etc/logrotate.d/auth.log
/var/log/kern.log {
rotate 5
daily
}
$ cat /etc/logrotate.d/kern.log
/var/log/kern.log {
rotate 5
daily
}
$ cat /etc/logrotate.d/messages
/var/log/messages {
rotate 5
daily
postrotate
/bin/killall -HUP syslogd
endscript
}
我还compress启用了以下选项:
$ grep compress /etc/logrotate.conf
# uncomment this if you want your log files compressed
compress
这对 和其他系统非常有用auth.log,kern.log这意味着每个日志都经过 gzip 压缩并轮换,并保留最近 5 天的日志。/var/log/messages然而不是经过压缩,结果远超 5 天的日志:
$ ls /var/log/messages*
/var/log/messages /var/log/messages-20100213
/var/log/messages-20100201 /var/log/messages-20100214
/var/log/messages-20100202 /var/log/messages-20100215
/var/log/messages-20100203 /var/log/messages-20100216
/var/log/messages-20100204 /var/log/messages-20100217
/var/log/messages-20100205 /var/log/messages-20100218
/var/log/messages-20100206 /var/log/messages-20100219
/var/log/messages-20100207 /var/log/messages-20100220
/var/log/messages-20100208 /var/log/messages-20100221
/var/log/messages-20100209 /var/log/messages-20100222
/var/log/messages-20100210 /var/log/messages-20100223
/var/log/messages-20100211 /var/log/messages-20100224
/var/log/messages-20100212
正如解释的那样关于 ServerFault 的另一个logrotate问题,旧日志(很可能)没有被删除,因为每个文件的文件结尾都不同。这似乎是因为文件没有被 gzip 压缩。
我该怎么做才能/var/log/messages像其他所有日志文件一样保留最近 5 天的日志并进行压缩和轮换?我遗漏了什么?
编辑1:前几个答案中所要求的附加信息。
我正在运行 Gentoo Linux。我的/etc/logrotate.conf文件:
$ cat /etc/logrotate.conf
# $Header: /var/cvsroot/gentoo-x86/app-admin/logrotate/files/logrotate.conf,v 1.3 2008/12/24 20:49:10 dang Exp $
#
# Logrotate default configuration file for Gentoo Linux
#
# See "man logrotate" for details
# rotate log files weekly
weekly
#daily
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
compress
# packages can drop log rotation information into this directory
include /etc/logrotate.d
notifempty
nomail
noolddir
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
/etc/logrotate.d包含我上面提到的自定义配置文件以及这些包安装的 mysql、rsync 等的配置。
我的根crontab是空的:
$ sudo crontab -l
no crontab for root
我检查了所有/etc/cron.{daily,hourly,monthly,weekly}与 syslog 相关的内容,发现有一个可以旋转的/var/log/syslog脚本/var/log/auth.log。
接下来,我按照 CarpeNoctem 的建议制作了一个/var/log/messages仅配置文件:logrotate
$ cat logrotate-messages
weekly
rotate 4
create
dateext
compress
notifempty
nomail
noolddir
/var/log/messages {
rotate 5
daily
postrotate
/bin/killall -HUP syslogd
endscript
}
然后我logrotate手动运行:
$ logrotate -d logrotate-messages -f
reading config file logrotate-messages
reading config info for /var/log/messages
Handling 1 logs
rotating pattern: /var/log/messages forced from command line (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/messages
log needs rotating
rotating log /var/log/messages, log->rotateCount is 5
dateext suffix '-20100224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
glob finding old rotated logs failed
renaming /var/log/messages to /var/log/messages-20100224
creating new /var/log/messages mode = 0644 uid = 0 gid = 0
running postrotate script
running script with arg /var/log/messages : "
/bin/killall -HUP syslogd
"
compressing log with: /bin/gzip
$ which gzip
/bin/gzip
$ file /bin/gzip
/bin/gzip: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
根据上面的日志,logrotate使用 /bin/gzip 压缩了日志,但我没有看到压缩的消息文件/var/log。此外,旧的轮换文件的通配符失败。
编辑2:在旧文件logrotate附加后缀后添加运行的调试输出。.gz/var/log/message-*
我们首先要说的是:
$ ls /var/log/messages*
/var/log/messages /var/log/messages-20100222.gz
/var/log/messages-20100219.gz /var/log/messages-20100223.gz
/var/log/messages-20100220.gz /var/log/messages-20100224.gz
/var/log/messages-20100221.gz
然后logrotate使用我们的自定义配置文件运行:
$ logrotate -d logrotate-messages -f
reading config file logrotate-messages
reading config info for /var/log/messages
Handling 1 logs
rotating pattern: /var/log/messages forced from command line (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/messages
log needs rotating
rotating log /var/log/messages, log->rotateCount is 5
dateext suffix '-20100224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
removing /var/log/messages-20100219.gz
removing old log /var/log/messages-20100219.gz
destination /var/log/messages-20100224.gz already exists, skipping rotation
这次,logrotateglob 成功找到第六个压缩日志文件,打算将其删除。该文件实际上并没有被删除;我猜那是因为我们在调试模式下运行。
我很好奇启用该delaycompress选项是否/var/log/messages有帮助。我启用了它,并将在第二天早上检查结果。
答案1
添加delaycompress到配置部分即可/var/log/messages解决问题。
从man logrotate:
delaycompress
Postpone compression of the previous log file to the next rota‐
tion cycle. This only has effect when used in combination with
compress. It can be used when some program cannot be told to
close its logfile and thus might continue writing to the previ‐
ous log file for some time.
我猜sysklogd,我的 syslog 守护进程,无法被告知关闭其日志文件,因此这是必要的。
有趣的是,我原来的配置(没有指令delaycompress)直接来自man logrotate(除了我改为weekly)daily:
# sample logrotate configuration file
compress
/var/log/messages {
rotate 5
weekly
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
答案2
仅凭这些信息很难说,但我可以告诉你是什么救了我几次。
Logrotate 有一个调试选项,它会将执行的每个步骤逐个打印到标准输出。因此,在这种情况下,您可以执行以下操作:
logrotate -d /etc/logrotate.conf
输出将告诉你到底发生了什么。此外,如果你想缩小调试输出的范围,你可以这样做
logrotate -d /etc/logrotate.d/messages
尽管您可能希望将主 logrotate.conf 选项暂时放在该文件块中,因为直接指定文件意味着它永远不会读取主配置选项。指定单个文件还意味着您可以将-f(force) 选项与调试选项结合使用,以查看正在发生的消息文件的实际轮换。
答案3
考虑在 logrotate.conf 中尝试此设置:
dateformat .%Y%m%d
并将现有消息文件重命名为使用点而不是破折号。然后再次尝试 logrotate。
下面的线索让我相信,如果破折号以某种方式被解释为选项(其中 -- 可以解决这个问题),它可能会导致 glob 失败。这没有意义,但有可能。
dateext suffix '-20100224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
glob finding old rotated logs failed