BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Big Scary Daemons

Rotating Log Files

06/14/2001

Log files grow. That's what they're there for, after all. As a systems administrator, you need to be able to control log growth. FreeBSD provides a basic log file handler, newsyslog.

The newsyslog program handles standard log file rotation. The oldest logs are deleted. Each old log is renamed. Finally, the current log is moved and a new log file is created. The newsyslog program can also compress files, restart daemons, and in general handle all the routine tasks of shuffling files.

The cron daemon fires up newsyslog once an hour. It scans the /etc/newsyslog.conf file, and checks each log file listed there. If the conditions listed for rotating the logfile are met, the log is rotated.

The /etc/newsyslog.conf file uses one line per logfile. The first entry on each line is the logfile name. This is a full path, such as /var/log/httpd-error.log.

The second entry is optional, and actually doesn't appear in the default /etc/newsyslog.conf. It lists the owner and group of the file, separated by a colon like this: root:wheel. Newsyslog can change the owner and group of old log files. By default, log files are owned by "root" and in the group "wheel". While changing the owner isn't commonly done, you might have use for this on multiuser machines.

You can choose to only change the owner, or only change the group. In this case, you must use a colon, even though nothing appears on the other side of it. For example, :www will change the group to www, while user827: will change the owner to user827.

The third field is the mode, in standard Unix three-digit notation.

Then we have a "count" field. This is the number of old log files that newsyslog keeps -- kind of. newsyslog starts counting archived log files at 0. Many computer systems start numbering at zero, but newsyslog includes 0 and goes up to the count number. With the default count setting of 5 for /var/log/messages, /var/log includes the following files:

messages
messages.0.gz
messages.1.gz
messages.2.gz
messages.3.gz
messages.4.gz
messages.5.gz

Those of you who can count will recognize that this is six backups, not five, plus the current log file! As a rule, though, it's better to have too many files than not enough. Still, if you're tight on disk space deleting an extra log file or two might buy you some time. Similarly, some web servers can have hundreds of sites on a single server; one or two files times a hundred sites can create a lot of disk space.

Newsyslog uses the next two fields, size and time, to determine if it should rotate a log on this run. You can rotate logs at a given time, or when they reach a certain size, or both. If you use both, the log will rotate whenever either condition is met.

If either the size or time isn't important (for example, you want to rotate every day, no matter how large the file gets), use an asterisk.

The fifth field is for file size. When newsyslog runs, it compares the size listed here to the size of the file. If the file is larger than the given size in kilobytes, it is rotated.

So far, it's easy, right?

Pages: 1, 2

Next Pagearrow





Sponsored by: