Mike Mazur's questions

随着时间的推移，我注意到一些日志，/var/log例如auth，kern并且messages变得越来越大。我logrotate为他们做了条目：

$ cat /etc/logrotate.d/auth.log 
/var/log/kern.log {
    rotate 5
    daily
}
$ cat /etc/logrotate.d/kern.log 
/var/log/kern.log {
    rotate 5
    daily
}
$ cat /etc/logrotate.d/messages 
/var/log/messages {
    rotate 5
    daily
    postrotate
        /bin/killall -HUP syslogd
    endscript
}

我也compress启用了该选项：

$ grep compress /etc/logrotate.conf 
# uncomment this if you want your log files compressed
compress

这适用于auth.log和kern.log其他人，这意味着这些日志中的每一个都被压缩和旋转，并保留了最后 5 天的日志。/var/log/messages但是没有被压缩，导致日志超过 5 天：

$ ls /var/log/messages*
/var/log/messages           /var/log/messages-20100213
/var/log/messages-20100201  /var/log/messages-20100214
/var/log/messages-20100202  /var/log/messages-20100215
/var/log/messages-20100203  /var/log/messages-20100216
/var/log/messages-20100204  /var/log/messages-20100217
/var/log/messages-20100205  /var/log/messages-20100218
/var/log/messages-20100206  /var/log/messages-20100219
/var/log/messages-20100207  /var/log/messages-20100220
/var/log/messages-20100208  /var/log/messages-20100221
/var/log/messages-20100209  /var/log/messages-20100222
/var/log/messages-20100210  /var/log/messages-20100223
/var/log/messages-20100211  /var/log/messages-20100224
/var/log/messages-20100212

正如在 ServerFault 上的另一个logrotate问题中所解释的那样，旧日志（很可能）不会被删除，因为每个文件的文件结尾不同。这似乎是因为文件没有被压缩。

我可以做些什么来/var/log/messages压缩和轮换保留最后 5 天的日志，就像我的所有其他日志文件一样？我错过了什么？

编辑1：前几个答案中要求的附加信息。

我正在运行 Gentoo Linux。我的/etc/logrotate.conf文件：

$ cat /etc/logrotate.conf 
# $Header: /var/cvsroot/gentoo-x86/app-admin/logrotate/files/logrotate.conf,v 1.3 2008/12/24 20:49:10 dang Exp $
#
# Logrotate default configuration file for Gentoo Linux
#
# See "man logrotate" for details
# rotate log files weekly
weekly
#daily
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
compress
# packages can drop log rotation information into this directory
include /etc/logrotate.d
notifempty
nomail
noolddir
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
}
/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

/etc/logrotate.d包含我上面提到的自定义配置文件以及这些软件包安装的 mysql、rsync 等配置。

我的根crontab是空的：

$ sudo crontab -l
no crontab for root

我检查了所有/etc/cron.{daily,hourly,monthly,weekly}与 syslog 相关的内容，并且有一个脚本可以旋转/var/log/syslog和/var/log/auth.log.

接下来，我按照 CarpeNoctem 的建议制作了一个/var/log/messages-onlylogrotate配置文件：

$ cat logrotate-messages 
weekly
rotate 4
create
dateext
compress
notifempty
nomail
noolddir
/var/log/messages {
    rotate 5
    daily
    postrotate
        /bin/killall -HUP syslogd
    endscript
}

然后我logrotate手动运行：

$ logrotate -d logrotate-messages -f
reading config file logrotate-messages
reading config info for /var/log/messages 

Handling 1 logs

rotating pattern: /var/log/messages  forced from command line (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/messages
  log needs rotating
rotating log /var/log/messages, log->rotateCount is 5
dateext suffix '-20100224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
glob finding old rotated logs failed
renaming /var/log/messages to /var/log/messages-20100224
creating new /var/log/messages mode = 0644 uid = 0 gid = 0
running postrotate script
running script with arg /var/log/messages : "
        /bin/killall -HUP syslogd
"
compressing log with: /bin/gzip
$ which gzip
/bin/gzip
$ file /bin/gzip
/bin/gzip: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped

根据上面logrotate的日志，用 /bin/gzip 压缩了日志，但是在/var/log. 此外，旧旋转文件的通配失败。

编辑 2 ：在将后缀附加到旧文件logrotate后添加运行的调试输出。.gz/var/log/message-*

我们开始：

$ ls /var/log/messages*
/var/log/messages              /var/log/messages-20100222.gz
/var/log/messages-20100219.gz  /var/log/messages-20100223.gz
/var/log/messages-20100220.gz  /var/log/messages-20100224.gz
/var/log/messages-20100221.gz

然后logrotate使用我们的自定义配置文件运行：

$ logrotate -d logrotate-messages -f
reading config file logrotate-messages
reading config info for /var/log/messages 

Handling 1 logs

rotating pattern: /var/log/messages  forced from command line (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/messages
  log needs rotating
rotating log /var/log/messages, log->rotateCount is 5
dateext suffix '-20100224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
removing /var/log/messages-20100219.gz
removing old log /var/log/messages-20100219.gz
destination /var/log/messages-20100224.gz already exists, skipping rotation

这一次，logrotate's glob 成功并找到了第六个压缩日志文件，打算将其删除。该文件实际上并未被删除；我想那是因为我们在调试模式下运行。

我很好奇启用该delaycompress选项是否/var/log/messages会有所帮助。我启用了它，第二天早上会检查结果。

在我的工作站上，我注意到我的网络利用率很高且稳定，即使我目前没有任何下载。我启动 iftop 并在顶部看到以下条目：

255.255.255.255:bootps     =>  * :bootpc                    0b      0b      0b
                           <=                             133Kb   162Kb   163Kb

实际下载速度在 70Kb 到 170Kb 或更多之间变化。bootps 是 67 端口，bootpc 是 68 端口。

我不知道这可能是什么。有没有人见过这个？此 LAN 上的某些系统是否出现故障？