My Linux logrotate and my huges log files

Question

I can see a few huge log files in my server:

stephane@data:~$ ls -lS /var/log
total 55G
-rw-r----- 1 root              15G août   9 23:32 syslog.1
-rw-r----- 1 root              15G août   9 23:32 mail.log.1
-rw-r----- 1 root              15G août   9 23:32 mail.info.1
-rw-r----- 1 root              12G août   9 23:32 mail.warn.1
-rw-r----- 1 root             286M août   9 22:21 mail.err.1
-rw-r----- 1 root              82M août   9 10:32 daemon.log.1
-rw-r----- 1 root             2,0M août   9 23:32 messages.1
-rw-r----- 1 root             1,8M août   9 23:31 auth.log.1
-rw-r----- 1 root             1,7M nov.  14  2016 daemon.log.4.gz
-rw-r----- 1 root             1,7M nov.  28  2016 daemon.log.2.gz
-rw-r----- 1 root             1,5M août   8 04:38 user.log.1
-rw-rw-r-- 1 root             1,4M août   9 23:31 lastlog
-rw-r----- 1 root             1,3M nov.  20  2016 daemon.log.3.gz
-rw-r----- 1 root             659K août   9 09:57 kern.log.1
-rw-r----- 1 root             466K août   9 23:42 syslog

I see the logrotate utility is installed on the server:

stephane@data:~$ cat /etc/cron.daily/logrotate
#!/bin/sh

test -x /usr/sbin/logrotate || exit 0
/usr/sbin/logrotate /etc/logrotate.conf

And it has some configuration files:

stephane@data:~$ ll /etc/logrotate.d
total 52K
-rw-r--r-- 1 root 433 nov.  28  2015 apache2
-rw-r--r-- 1 root 173 oct.  17  2014 apt
-rw-r--r-- 1 root  79 nov.   7  2012 aptitude
-rw-r--r-- 1 root 113 mai   24  2013 cron-apt
-rw-r--r-- 1 root 232 juin   5  2014 dpkg
-rw-r--r-- 1 root 313 mars  19  2014 fail2ban
-rw-r--r-- 1 root 847 janv. 27  2016 mysql-server
-rw-r--r-- 1 root 330 févr. 10  2016 nginx
-rw-r--r-- 1 root 152 mars  14  2016 php5-fpm
-rw-r--r-- 1 root 126 juin   8  2012 redis-server
-rw-r--r-- 1 root 162 mai   26  2012 rkhunter
-rw-r--r-- 1 root 553 août   9 23:38 rsyslog
-rw-r--r-- 1 root 235 juin  15  2015 unattended-upgrades

I see one of these configuration files should be doing the cleaning up:

stephane@data:~$ cat /etc/logrotate.d/rsyslog
/var/log/syslog
{
    rotate 4
    daily
        size 1024k
    missingok
    notifempty
    delaycompress
    compress
    postrotate
        invoke-rc.d rsyslog rotate > /dev/null
    endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
    rotate 4
    weekly
        size 1024k
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
        invoke-rc.d rsyslog rotate > /dev/null
    endscript
}

Running the logrotate utility seems to be fine:

stephane@data:~$ sudo /usr/sbin/logrotate /etc/logrotate.conf

How can I see if the logrotate has run today ?

How can I have logrotate take care of these 3 huges files ?

Thanks for any directions.

G-Man Says 'Reinstate Monica' · Accepted Answer · 2017-08-10 15:42:38Z

0

I see you don't have the cron logs enabled, or at least the standard file is missing. That most probably means that the cron entry in /etc/syslog.conf or /etc/rsyslog.conf is commented. I will use the rsyslog.conf example from now on, but your system might use the old syslog daemon with the old syslog.conf file.

Please edit that file and find the entry starting with cron and uncomment it if it's commented. Mine was on a Debian stable system, like this:

cron.*                         /var/log/cron.log

After you modify and save the file, exit and restart the syslog/rsyslog service like this:

systemctl restart rsyslog

or, on older versions with the init system, like this:

/etc/init.d/rsyslog restart

and create the log file like this:

> /var/log/cron

and new entries for your cron daemon should go there too.

Please check your rsyslog.conf file to see if there are other entries that redirect cron messages elsewhere. I had this in mine:

*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

and that means that several types of messages, including ones coming from cron, are all sent to the file /var/log/messages, and you might have your answer there already.

Depending on your Linux distro, your file names may vary.

edited Aug 10, 2017 at 15:42

G-Man Says 'Reinstate Monica'

7,86722 gold badges41 silver badges87 bronze badges

answered Aug 10, 2017 at 9:43

user3761842

1

Yes, the #cron.* /var/log/cron.log entry was commented out in the /etc/rsyslog.conf file. I removed its uncommented. I then restarted the sudo /etc/init.d/rsyslog restart service and it displayed [....] Restarting rsyslog (via systemctl): rsyslog.service but it hanged there, and never gave me the prompt back. Checking the status showed me it had been restarted though: sudo /etc/init.d/rsyslog status Active: active (running) since jeu. 2017-08-10 14:38:06 CEST; 1min 4s ago.
– Stephane
Commented Aug 10, 2017 at 12:40
I then created the sudo touch /var/log/cron file and it is empty for now. I'm on a Linux data 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u5 x86_64 GNU/Linux system.
– Stephane
Commented Aug 10, 2017 at 12:40
Do you have the other line with cron in rsyslog? The one that appends everything to /var/log/messages? Again, your distro may send it to somewhere else. I'd check that too to see if cron maybe puts messages there already and then we don't bother with the /var/log/cron.log file Please also check the permissions of the other files in /var/log and if different, adjust the permissions to cron.log file Check also /var/log/messages for errors as to why rsyslog doesn't restart...
– user3761842
Commented Aug 10, 2017 at 16:57
Yes I think the other cron entry you mention is: *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages. I also just checked the rsyslog status again and I can see this warning: Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
– Stephane
Commented Aug 29, 2017 at 8:12
Now, I just tried to restart sudo /etc/init.d/rsyslog restart but it hangs, and the status is not updated sudo /etc/init.d/rsyslog status gives Active: active (running) since jeu. 2017-08-10 14:44:01 CEST; 2 weeks 4 days ago and watching the log file tail -200f /var/log/messages outputed absolutely nothing to the file. Of course I'm root in all those shells.
– Stephane
Commented Aug 29, 2017 at 8:24

| Show 1 more comment

user3761842 · Accepted Answer · 2017-08-31 21:18:45Z

On a quick search over the internet regarding that error I found it's a debian jessie bug that is strangely similar with your situation and it involves reading from /dev/xconsole.

Do you have something like this in your conf file?

daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn   |/dev/xconsole

I'm not sure I can add links but check: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745492 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742113

Hope it helps.

Stack Exchange Network

My Linux logrotate and my huges log files

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
linux
logrotate
.

Hot Network Questions

My Linux logrotate and my huges log files

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged linuxlogrotate.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
logrotate
.