Lock down your logfiles with logrotate
What a Wicked Web We Weave
Not many can claim to be more popular in web circles than the leader of all things HTTP: Apache. Figure 6 shows an example profile for Apache with some new options. The old compress
option is the friendly disk space-saver. This option clearly should not be run on large logfiles if your server's CPU is creaking at the seams already; just schedule logrotate out-of-hours to solve any time-sensitive, heavy load problems by adjusting cron execution times. As is often the case, I'm comfortable ignoring missing files (missingok
); also, I'm looking for 52 weekly logs.
The new delaycompress
function is intriguing, especially if you need to access a file with a log-watching tool, such as the truly extensible Fail2ban package. The meaning of this config option is simple: Not only does it decrease the number of times compression takes place (initially at least), it might save a bit of CPU time in some circumstances, especially if your servers experience no quiet time. However, if another application can't work correctly because a logfile is compressed, then you can hold off gzipping the file in question until the next rotation. Although I haven't looked, I suspect Fail2ban has addressed this issue because it's so configurable.
Let a Computer Do the Work for You
As I mentioned earlier, one prerequisite of a healthy file is correct permissions. In the past I've had some success running
# touch /var/log/<daemon-name>.log # chown owner:group /var/log/<daemon-name>.log # chmod 640 /var/log/<daemon-name>.log
after moving or renaming a logfile in a graceless fashion. The hope was that I wouldn't see any application downtime caused by restarting my service to fix empty logfiles as a result of an application that couldn't write to the file correctly after a logfile was moved.
However, the graceful way of achieving this via logrotate is to use the create
config option, as in:
create 640 root adm
If you compare my manual command-line entries and logrotate's automated approach, the config option should make perfect sense.
In Figure 6, the purpose of the sharedscripts
option encapsulated within the curly brackets in line 8 might not be immediately obvious, which brings me to the prerotate
and postrotate
config options. As logrotate runs through profiles, the prerotate
and postrotate
options are processed for each and every logfile being rotated.
Sometimes file name patterns lead to several logfile matches (especially with an errant wildcard here or there); therefore, the prerotate
and postrotate
config options can run multiple times, and if the postrotate
option starts and stops a daemon, you could be restarting your previous web application several times unnecessarily, among other unneeded activities. The friendly sharedscripts
parameter lets you specify that these kinds of actions are triggered only once.
For those of you who are familiar with Bash scripting, note in the Apache example that the prerotate
option checks for the existence of a directory (i.e., httpd-prerotate
) where fully configurable precursor commands can be applied should additional configuration be needed.
You Say Tomato
It might sound a little strange but there's method to the madness of having a favorite file compression utility. Some formats, utilities, encryption ciphers, and time frames dictate that you need to make choices about zipping, gzipping, or adding obscure command-line parameters to the compression options within logrotate.
To this end, you have the ability to affect how you squash your logfiles to keep the ever-precious storage freed up by using:
compresscmd zip
An option I've found very useful is dateext
. When you first see the logfiles generated by an automated log rotation system, it's easy to mix up which is the oldest and which is the latest files in the list. Figure 7 shows this a little more clearly, and it's easy to spot the newest because dpkg.log.1
isn't compressed with gzip. You can still see why files numbered 1 to 12 without many differentiating features could be confusing, however.
The useful dateext
switch lets you add dates to the end of rotated logs instead of simply numbers. The format YYYYMMDD can be changed conveniently with the dateformat
parameter, which apparently conforms to the strftime
command. However, it only supports year, month, and day specifiers (%Y
, %m
, %d
, respectively). If you feel the need, though, you can throw in Unix time (or rather, the number of seconds since the Epoch – midnight on January 1, 1970) with the %s
specifier. Both are very useful options to my mind; one date format for human eyes to scan quickly and another for a script to scrutinize.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.