Difference between revisions of "Limit the size of .log files & the journal"
Views
Actions
Namespaces
Variants
Tools
imported>Handy |
imported>Handy |
||
Line 106: | Line 106: | ||
The Systemd Journal is capable of advanced functions beyond what has been mentioned here. The above is very good food for thought for people that are wondering if they need to be running '''syslog-ng''' or the like that creates most of the '''/var/log/*log''' files on their systems. | The Systemd Journal is capable of advanced functions beyond what has been mentioned here. The above is very good food for thought for people that are wondering if they need to be running '''syslog-ng''' or the like that creates most of the '''/var/log/*log''' files on their systems. | ||
By experimenting with the above commands one can make an informed decision for themselves, though as mentioned at the beginning of the Journal section, Arch & therefore Manjaro still | By experimenting with the above commands one can make an informed decision for themselves, though as mentioned at the beginning of the Journal section, Arch & therefore Manjaro still run both the new systemd journal & the old style log file system in parallel. So if you find the /var/log/*log files to be redundant & you want to be rid of them, various methods would be effective. I'm currently using /etc/cron.hourly & a script in the /etc/logrotate.d directory. I'll write further on this later. | ||
= Managing /var/log/* files = | = Managing /var/log/* files = |
Revision as of 02:35, 25 August 2013
Introduction
NOTE: This page is still a work in progress.
Log files & the systemd journal do the same thing in different ways. They keep a record of everything that happens on your computer system. This makes it possible to understand what is going right & what is going wrong. As an example, if your system had been infiltrated by an ssh attack, this could be verified in the log/journal. So these log files are good for more than tracking troublesome hardware, or driver problems, badly written network manager code or the plethora of other problems that the complex & dynamic GNU/Linux system has to deal with.
These logs are an absolute blessing, as not all systems have them, & any server administrators who does have them would be very grateful as they can be the bread & butter of what they do.
Generally only server administrators have use for logs that go back any length of time. Few users who run distros on their desktop, Notebook, Netbook... machines, need to keep such huge log files, histories going back for many months or even years, on their system, are a waste of space & also makes viewing your log files more cumbersome.
The first topic on this page will briefly cover the systemd journal
The systemd journal has taken the place of log files though it will happily run in parallel with the standard type log files. These are still created & maintained by default in Arch & Manjaro, which means that even if you delete syslog-ng & all of the /var/log/*log files on reboot you will find the log files have been automatically created again, this will change in the future.
The second topic will cover handling log files
This topic will go into far more depth, it will covering the use of the logrotate command, logrotate.conf, the /etc/cron.daily cron.weekly cron.monthly cron.yearly, some ways to run created scripts, & a mention of the crontab method of running a script also. I'll try to make this section accessible to as many people as possible, which means this will be a long page.
The journal & the logs duplicate the same information
You can read the text of the log files in a text editor, or using the cat, more, less & such commands as you would on any other text file. The journal on the other hand requires the journalctl command to be able to access its contents. The following is a good way to read the journal:
sudo journalctl
How to set a maximum size limit for the journal
You need to use your text editor with root priviliges, starting it with sudo will do the job.
With a simple edit of the /etc/systemd/journald.conf you can set the maximum size limit of the /var/log/journal .
- Uncomment the following line & add the size limit that you want. I set mine to 50MB like this:
SystemMaxUse=50M
After a reboot, you should find that your journal is now somewhat less than 50MB (or whatever limit you set), as it needs to have some working space. Mine went to 38M from 391M.
See the troubleshooting section if the above did not work for you.
The Journalctl command - a quick reference [1]
Add user to adm group, gives <user> full use of the journalctl command:
# usermod -a -G adm handy
Access to full journal containing info from the system & users:
$ journalctl
Live view, shows the last 10 lines of the journal & all content as it happens:
$ journalctl -f
Basic filtering:
Shows all output to the journal since the last boot:
$ journalctl -b
Shows all output with priority level ERROR & worse, since last boot:
$ journalctl -b -p err
Filtering based on time:
Since yesterday:
$ journalctl --since=yesterday
Give a specific time period:
$ journalctl --since=2012-10-15 --until="2011-10-16 23:59:59"
Pick a specific service & time period:
$ journalctl -u httpd --since=00:00 --until=9:30
Point journalctl at specific devices, services, binaries
Look at a specific device:
$ journalctl /dev/sdc
Check on a binary:
$ journalctl /usr/sbin/vpnc
Check on the interlieved output from two specifics:
$ journalctl /usr/sbin/vpnc /usr/sbin/dhclient
Show all systemd units that have been started in your journal:
$ journalctl -F _SYSTEMD_UNIT
You can then interrogate the journal specifying any of those units.
A summation
The Systemd Journal is capable of advanced functions beyond what has been mentioned here. The above is very good food for thought for people that are wondering if they need to be running syslog-ng or the like that creates most of the /var/log/*log files on their systems.
By experimenting with the above commands one can make an informed decision for themselves, though as mentioned at the beginning of the Journal section, Arch & therefore Manjaro still run both the new systemd journal & the old style log file system in parallel. So if you find the /var/log/*log files to be redundant & you want to be rid of them, various methods would be effective. I'm currently using /etc/cron.hourly & a script in the /etc/logrotate.d directory. I'll write further on this later.
Managing /var/log/* files
Introducing Logrotate & friends
What is this Logrotate? [2] logrotate is a powerful tool used to manage the log files created by system processes. It can be instructed to automatically compress, rename in a variety of ways, remove logs, to do all of this & more in a way that maximizes the convenience of logs & conserves your system's resources. An enormous amount of control is available to users including running scripts on your rotated files.
A problem I face in trying to make this article about logrotate as simple as possible is that logrotate can be called in so many ways, & these ways are not mutually exclusive.
For example, logrotate can be called to run on a file, or multiple files in any combination or multiple of hourly, daily, weekly, monthly & yearly, via scripts placed in the /etc/ in the already existing directories hourly daily weekly monthly the yearly directory can be added if required. crontab [3] can be used to run logrotate or scripts as complex as a person needs. logrotate can be combined with other tools in anyway that a user can come up with to process these rotated files at any time & frequency.
The scope of this article
That said, much of the power of logrotate is for the benefit of those administering servers & will not be dealt with in the following. Though what we will deal with can be used on more than just our log files. We can use logrotate to backup any other files that we choose. I will expand on this at a later date.
/etc/logrotate.conf & /etc/logrotate.d
The logrotate.conf configuration file largely dictates logrotate's behaviour, it holds global settings, but most of the work that logrotate does is via script files stored in the /etc/logrotate.d directory, which take precedence over the global settings held in logrotate.conf.
Applications such as Apache, MySQL, Cups & others, put scripts into the /etc/logrotate.d directory to manage their log files.
If you manually run the command sudo logrotate, you will be presented with its usage template. logrotate needs you to specify the path to the script that you want it to use, including the logrotate.conf file which one may think due to its name would be automatically read, it is not.
To run logrotate & the logrotate.conf file you use the following command line:
logrotate /etc/logrotate.conf
Can I store & run my script files elsewhere?
A line exists in logrotate.conf that tells logrotate to run all of the scripts that exist in /etc/logrotate.d
include /etc/logrotate.d
We can use the include command in logrotate.conf to add other directories or use another directory instead of logrotate.d if we have reason to. Be careful what you do as there are files placed into the logrotate.d directory by other programs.
My settings in logrotate.conf don't effect all of the .log files?
Script files that are called via the logrotate.conf file take precedence over the global settings in logrotate.conf . That means that if you call a script from logrotate.conf that is located in the /etc/logrotate.d directory, then that script is more powerful than any of the global setting in logrotate.conf .
I use a script /etc.logrotate.d/rotate.logs that is set to work on all *.log files, & it does. The two that don't get rotated are called faillog & lastlog , apart from not having the .log file extension, these two files are not normal log files, they are accessed via terminal commands of the same name.
Can I store my scripts where I want?
Some applications such as Apache cups, drop scripts into /etc/logrotate.d to aid in their own self maintenance. We can use a location of our choosing for these or other scripts if we want. We just have to call its path in the /etc/logrotate.conf file, the same way, as shown in the following example:
include /home/handy/.config/mylogrotate
Apart from adding our own scripts to /etc/logrotate.d (or any other path that we have chosen to include), we can also add scripts into any of the previously mentioned /etc/ cron.hourly cron.daily cron.weekly cron.monthly folders. OR we can add a script into any of these folders that suit our needs that runs the logrotate /etc/logrotate.conf command which will have the logrotate.conf file, direct logrotate to the default /etc/logrotate.d directory where we have our script(s). OR to another directory where we have our script & have included the path in logrotate.conf . whew!
So you can see there are a variety of ways to call logrotate (let alone use it).
Some uses for Logrotate
For example, script block below does the following, listed line by line:
- /var/log/*.log { specifies the file or the files as this example uses a wild card that says all files ending in .log , the { starts the list of commands that will be used on the file(s) just specified.
- daily Here we are saying cycle these commands daily, we can also say weekly, monthly, yearly (or specify other times with crontab)[4].
- size is where we can place a size limit that will cause a file to be rotated. I placed a 1M one megabyte size limit in the example.
- dateext this puts the date of the rotation on the new copy, so it would use this format: <file.name>.log-20130815
- rotate 7 means keep 7 of our daily (in this script) backups, delete the oldest when it would become the 8th.
- compress is obvious, it uses gzip by default & adds a .gz extension to your file, which will make it look like this: <file.name>.log.1.gz you can choose other compression methods, I'm not going into that here.
- delaycompress tells logrotate to compress the newly rotated file in the next cycle. This has advantages in ease of access & also if the file is still being written to by a process after it has been rotated.
- copytruncate this is a great option, as it copies the contents of the file to a new new file <file.name>.log.1 & then deletes the contents of the original file. You can have no permission problems crop up when you do it this way.
- notifempty do nothing if the file is empty, which makes good logical sense.
- missingok if the file does not exist, give no error.
- } this curly bracket closes the block of commands.
/var/log/*.log { daily size 1M dateext rotate 7 compress delaycompress copytruncate notifempty missingok }
The above script can be used as is, it does not need to be made executable, it just needs to be put somewhere that logrotate will see (in this example) every day.
We can use the above script block as a template, easily removing parts & modifying its relatively simple settings. It can duplicated in a script with each script block specifying custom settings tailored for individual files.
An Example that you can modify to suit
I'll show how I have my system set, you can use the information already given on this page & other available on the web to fine tune your set up to suit your needs (if you have the need anyway).
Firstly - Be sure this file is here /etc/cron.daily/logrotate
#!/bin/sh # nicenesses range from -20 (most favorable scheduling) to 19 (least favorable) NICE=19 # 0 for none, 1 for real time, 2 for best-effort, 3 for idle IONICE_CLASS=2 # 0-7 (for IONICE_CLASS 1 and 2 only), 0=highest, 7=lowest IONICE_PRIORITY=7 CMD_LOGROTATE="/usr/bin/logrotate /etc/logrotate.conf" if [ -x /usr/bin/nice ]; then CMD_LOGROTATE="/usr/bin/nice -n ${NICE:-19} ${CMD_LOGROTATE}" fi if [ -x /usr/bin/ionice ]; then CMD_LOGROTATE="/usr/bin/ionice -c ${IONICE_CLASS:-2} -n ${IONICE_PRIORITY:-7} ${CMD_LOGROTATE}" fi ${CMD_LOGROTATE} exit 0
Secondly - Create /etc/logrotate.d/rotate.logs using the following
## rotate all /var/log files with names ending in log /var/log/*log { ## cycle through these commands once per day daily ## keep the results of 7 cycles rotate 7 ## use gzip to compress each rotated (copied) log file compress ## compress the file on the next cycle delaycompress ## copy the contents of the log file to a new file <name>.log.1 ## & then delete the contents of the original log file copytruncate ## do nothing to empty files notifempty ## create no errors if a file is missing missingok ## after the files have been rotated run the following command }
A Summary of the above example thus far
The First step puts a file into /etc/cron.daily which is an easy way to add the script to a daily cron job. Which means that script will be run everyday.
It basically runs this command:
logrotate /etc/logrotate.conf
As logrotate.conf goes through its list of commands it calls this one:
include /etc/logrotate.d
Which means that any scripts that are inside of /etc/logrotate.d are also run.
This brings us to the second step (above), where we created /etc/logrotate.d/rotate.logs . This script will be run everyday. The comments I added to the rotate.logs file above give a general idea of what it does. You can delete, modify & add to that script, but do it carefully.
The effect of running /etc/logrotate.d/rotate.logs everyday
Is that any file in /var/log that had log at the end of its name will be processed by the commands in the rotate.logs script. This will back up these files to a new file <name>.log.1 & empty the original file to size 0. Any previous copies of with <name>.log.<number> will have their numbers bumped up one, until the day when they would have been given an 8, that is the day that they are deleted.
As well as this rotating (copying) & renaming of files, all files will be compressed in gzip format on the next rotation. Which means that you always have the current file & yesterdays file in /var/log in uncompressed format.
No files that are empty will be processed, & a file being missing will throw no errors.
Support
Following is a link to this page's forum counterpart where you can post any related feedback: [5]