Why logrotate doesn’t work as expected?
Created by: Cau Ta
Created time: January 3, 2024 10:50 AM
One common challenge that many users encounter is the overwhelming influx of logs from UFW (Uncomplicated Firewall) and Syslog, often resulting in massive log files that can reach up to GB. This issue becomes particularly troublesome when log rotation mechanisms fail to kick in, leaving users with a cluttered and unmanageable log directory.
Optimizing Log Rotation with logrotate:
To tackle the issue of bloated logs, employing logrotate is a practical solution. However, the default logrotate configurations may not align with the urgency of your situation, especially when dealing with potential DDoS attacks. Fortunately, logrotate allows for fine-tuning, including adjusting the frequency of log rotation checks.
Update ufw log
i want my ufw.log would be rotated daily OR log file exceed 100MB, so i changed daily and maxsize
vim /var/log/ufw.log
# update rotate timing from weekly to hourly
# set maxsize of log file 100MB
{
rotate 4
daily
maxsize 100M
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
[ -x /usr/lib/rsyslog/rsyslog-rotate ] && /usr/lib/rsyslog/rsyslog-rotate || true
endscript
}
Update rsyslog config
the same idea with rsyslog
vim /etc/logrotate.d/rsyslog
{
rotate 4
daily
maxsize 100M
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
I understand logrotate is managed by cronjob
i also move logrotate from cronjob in daily to hourly but it doesn’t work. Cronjob does not trigger for every hour. My log file still exceed 100MB
Seem like logrotate only triggered daily to check the conditions
Problem
logrotate is managed by crontab, but inside crontab (at /etc/cron.daily/logrotate
) there is a script that checks systemd timer. If it exists, that means logrotate has been triggered by systemd timer
You have to change the way to trigger logrotate by systemd timer:
vim /lib/systemd/system/logrotate.timer
# set timer to hourly
[Timer]
OnCalendar=hourly
After that, reload the daemon:
systemctl daemon-reload
And check the result in the list of timers:
systemctl list-timers
# the result is :
NEXT LEFT LAST PASSED UNIT ACTIVATES
Wed 2024-01-03 08:00:00 UTC 9min left Wed 2024-01-03 07:25:00 UTC 25min ago logrotate.timer logrotate.service
Wed 2024-01-03 08:22:07 UTC 32min left Wed 2024-01-03 05:00:40 UTC 2h 49min ago apt-daily.timer apt-daily.service
Wed 2024-01-03 09:08:33 UTC 1h 18min left Wed 2024-01-03 02:14:57 UTC 5h 35min ago ua-timer.timer ua-timer.service
You can see logrotate has been triggered, and 9min left to trigger again.
Conclusion
In this article, we discussed the common challenge of log files becoming overwhelming due to an influx of logs from UFW and Syslog. When log rotation fails to kick in, managing these logs becomes difficult. To address this issue, we explored the use of logrotate for optimizing log rotation.
By default, logrotate configurations may not be suitable for situations requiring urgent log rotation, such as dealing with potential DDoS attacks. However, logrotate offers flexibility for fine-tuning, including adjusting the frequency of log rotation checks.
We also delved into the process of managing logrotate through crontab and systemd timer. It was highlighted that logrotate is managed by crontab, but a script in /etc/cron.daily/logrotate
checks the systemd timer. By modifying the logrotate timer to trigger log rotation hourly, we can ensure more timely log rotation.
To summarize, logrotate is a valuable tool for efficiently managing log files. By customizing its configurations and utilizing systemd timer, we can effectively address the challenge of bloated logs and maintain a more organized log directory.
References: