随着时间的推移,我注意到一些日志,/var/log例如auth,kern并且messages变得越来越大。我logrotate为他们做了条目:
$ cat /etc/logrotate.d/auth.log
/var/log/kern.log {
rotate 5
daily
}
$ cat /etc/logrotate.d/kern.log
/var/log/kern.log {
rotate 5
daily
}
$ cat /etc/logrotate.d/messages
/var/log/messages {
rotate 5
daily
postrotate
/bin/killall -HUP syslogd
endscript
}
我也compress启用了该选项:
$ grep compress /etc/logrotate.conf
# uncomment this if you want your log files compressed
compress
这适用于auth.log和kern.log其他人,这意味着这些日志中的每一个都被压缩和旋转,并保留了最后 5 天的日志。/var/log/messages但是没有被压缩,导致日志超过 5 天:
$ ls /var/log/messages*
/var/log/messages /var/log/messages-20100213
/var/log/messages-20100201 /var/log/messages-20100214
/var/log/messages-20100202 /var/log/messages-20100215
/var/log/messages-20100203 /var/log/messages-20100216
/var/log/messages-20100204 /var/log/messages-20100217
/var/log/messages-20100205 /var/log/messages-20100218
/var/log/messages-20100206 /var/log/messages-20100219
/var/log/messages-20100207 /var/log/messages-20100220
/var/log/messages-20100208 /var/log/messages-20100221
/var/log/messages-20100209 /var/log/messages-20100222
/var/log/messages-20100210 /var/log/messages-20100223
/var/log/messages-20100211 /var/log/messages-20100224
/var/log/messages-20100212
正如在 ServerFault 上的另一个logrotate问题中所解释的那样,旧日志(很可能)不会被删除,因为每个文件的文件结尾不同。这似乎是因为文件没有被压缩。
我可以做些什么来/var/log/messages压缩和轮换保留最后 5 天的日志,就像我的所有其他日志文件一样?我错过了什么?
编辑1:前几个答案中要求的附加信息。
我正在运行 Gentoo Linux。我的/etc/logrotate.conf文件:
$ cat /etc/logrotate.conf
# $Header: /var/cvsroot/gentoo-x86/app-admin/logrotate/files/logrotate.conf,v 1.3 2008/12/24 20:49:10 dang Exp $
#
# Logrotate default configuration file for Gentoo Linux
#
# See "man logrotate" for details
# rotate log files weekly
weekly
#daily
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
compress
# packages can drop log rotation information into this directory
include /etc/logrotate.d
notifempty
nomail
noolddir
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
/etc/logrotate.d包含我上面提到的自定义配置文件以及这些软件包安装的 mysql、rsync 等配置。
我的根crontab是空的:
$ sudo crontab -l
no crontab for root
我检查了所有/etc/cron.{daily,hourly,monthly,weekly}与 syslog 相关的内容,并且有一个脚本可以旋转/var/log/syslog和/var/log/auth.log.
接下来,我按照 CarpeNoctem 的建议制作了一个/var/log/messages-onlylogrotate配置文件:
$ cat logrotate-messages
weekly
rotate 4
create
dateext
compress
notifempty
nomail
noolddir
/var/log/messages {
rotate 5
daily
postrotate
/bin/killall -HUP syslogd
endscript
}
然后我logrotate手动运行:
$ logrotate -d logrotate-messages -f
reading config file logrotate-messages
reading config info for /var/log/messages
Handling 1 logs
rotating pattern: /var/log/messages forced from command line (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/messages
log needs rotating
rotating log /var/log/messages, log->rotateCount is 5
dateext suffix '-20100224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
glob finding old rotated logs failed
renaming /var/log/messages to /var/log/messages-20100224
creating new /var/log/messages mode = 0644 uid = 0 gid = 0
running postrotate script
running script with arg /var/log/messages : "
/bin/killall -HUP syslogd
"
compressing log with: /bin/gzip
$ which gzip
/bin/gzip
$ file /bin/gzip
/bin/gzip: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
根据上面logrotate的日志,用 /bin/gzip 压缩了日志,但是在/var/log. 此外,旧旋转文件的通配失败。
编辑 2 :在将后缀附加到旧文件logrotate后添加运行的调试输出。.gz/var/log/message-*
我们开始:
$ ls /var/log/messages*
/var/log/messages /var/log/messages-20100222.gz
/var/log/messages-20100219.gz /var/log/messages-20100223.gz
/var/log/messages-20100220.gz /var/log/messages-20100224.gz
/var/log/messages-20100221.gz
然后logrotate使用我们的自定义配置文件运行:
$ logrotate -d logrotate-messages -f
reading config file logrotate-messages
reading config info for /var/log/messages
Handling 1 logs
rotating pattern: /var/log/messages forced from command line (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/messages
log needs rotating
rotating log /var/log/messages, log->rotateCount is 5
dateext suffix '-20100224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
removing /var/log/messages-20100219.gz
removing old log /var/log/messages-20100219.gz
destination /var/log/messages-20100224.gz already exists, skipping rotation
这一次,logrotate's glob 成功并找到了第六个压缩日志文件,打算将其删除。该文件实际上并未被删除;我想那是因为我们在调试模式下运行。
我很好奇启用该delaycompress选项是否/var/log/messages会有所帮助。我启用了它,第二天早上会检查结果。
添加
delaycompress到配置部分以/var/log/messages解决问题。来自
man logrotate:我想
sysklogd,我的 syslog 守护进程不能被告知关闭它的日志文件,因此这是必要的。有趣的是,我的原始配置(没有
delaycompress指令)直接来自man logrotate(除了我改为weekly)daily:仅凭这些信息很难说,但我可以告诉你是什么拯救了我几次。
Logrotate 有一个调试选项,可以将它所执行的每个步骤的逐个播放打印到标准输出。所以在这种情况下你可以这样做:
输出会告诉你到底发生了什么。此外,如果您想缩小调试输出范围,您可以这样做
尽管您可能希望暂时将主 logrotate.conf 选项放在该文件块中,因为直接指定文件意味着它永远不会读取主配置选项。指定单个文件还意味着您可以
-f结合使用 (force) 选项和 debug 选项来查看正在发生的消息文件的实际轮换。考虑在您的 logrotate.conf 中尝试此设置:
并重命名您现有的消息文件以使用点而不是破折号。然后再次尝试您的 logrotate。
下面的线索让我相信,如果破折号被以某种方式解释为一个选项(其中 -- 将解决这个问题),它可能会导致 glob 失败。这没有意义,但它可能是可能的。