Tag Archives: syslog

Change syslog rotation on Debian

Posted on by

I was a bit confused as to why my /var/log/syslog was getting rotated every day, while everything else was weekly, or handled directly by a specific configuration in /etc/logrotate.d/.

The script at /etc/cron.daily/syslogd will rotate all files that are the output syslogd-listfiles each day. The same script at /etc/cron.weekly/syslogd will rotate all files that are the output of syslogd-listfiles --weekly on a weekly basis.

syslogd-listfiles is controlled by /etc/syslog.conf. Near the top of the configuration file, you’ll see the configuration for syslog:

*.*;auth,authpriv.none    -/var/log/syslog

The “*.*” is an ‘everything’ directive (see my $everything in /usr/sbin/syslogd-listfiles). My goal was to preserve my syslog for more than seven days since it is a relatively inactive machine. I ended up adding a new directive to allow the syslog (and auth) messages to be logged and rotated every day, and logged to syslog which will only be rotated once a week.

*.*;auth,authpriv.none     -/var/log/syslog_everything
syslog.*;auth,authpriv.none      -/var/log/syslog

It might be a bit clumsy but it solves my two problems, by creating two syslogs.

  • I need *.* to be logged somewhere as a catchall
  • I want syslog to be rotated only once a week

You definitely do not want to do this on a busy machine, but if your syslogs are not that big and you want to keep them around a while, this is a good way to accomplish that.

Preventing Daily mail.log rotation on Debian

Posted on by

My preference for server side Linux is Debian 4. As with most distributions, most of the system files are rotated on a daily, weekly, and monthly basis by logrotate. For example, in Debian the log files for apache2, aptitude, and clamav are all handled by logrotate, and the configuration files are located in /etc/logrotate.d/
/var/log/apache2/*.log {
monthly
missingok
rotate 24
compress
delaycompress
notifempty
create 640 root www-data
sharedscripts
postrotate
if [ -f /var/run/apache2.pid ]; then
/etc/init.d/apache2 restart > /dev/null
fi
endscript
}

I was finding that my postfix log, mail.log, was getting rotated more often, even though it was really not very large. Sometimes it would rotate every day, sometimes every two days. But I couldn’t find any logrotate config files for the postfix logs. After a bit of searching I discovered that the mail facilities are handled by savelog, which operates in sysklogd. sysklogd is a script that runs in the daily cron at /etc/cron.daily/sysklogd.

A bit of the script is here, and you can see the savelog command:

cd /var/log
for LOG in `syslogd-listfiles`
do
if [ -s $LOG ]; then
savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null
fi
done

So what is syslogd-listfiles? It will show you all files that are to be logged with syslogd.

silver:/etc/cron.daily# syslogd-listfiles --all
/var/log/mail.warn
/var/log/uucp.log
/var/log/user.log
/var/log/daemon.log
/var/log/messages
/var/log/debug
/var/log/auth.log
/var/log/mail.err
/var/log/syslog
/var/log/mail.log
/var/log/mail.info
/var/log/kern.log
/var/log/lpr.log