Logrotate Not Deleting Compressed Logs

logrotatersyslog

I have a CentOS box running rsyslog and logrotate as my syslog server for a whole bunch of network devices. I've been toying around with this for a while, the logrotate/compression piece is working ok, but I can't seem to get it to delete the old compressed .gz logs. Here's the basic setup:

Logs are stored in: /var/log/syslog and each host creates a new sub-folder based on its IP address or hostname. I have two particular hosts that are really chatty, so I have specific rules for them to truncate after 5 GB. The idea is to compress and start a new log every day, and keep 60 days' worth of logs.

Here are my configs (most of these were not created by me, but I have maintained and modified several of them):

cat /etc/cron.hourly/logrotate

#!/bin/sh`enter code here`
/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

cat /etc/logrotate.d/syslog

/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    compress
    daily
    #delaycompress
    dateext
    missingok
    rotate 60
    maxage 60
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

cat /etc/logrotate.conf

/var/log/syslog/*/*.log {
daily
rotate 60
maxage 60
compress
}

daily
rotate 60
create
dateext
compress
include /etc/logrotate.d

/var/log/wtmp {
    monthly
    create 0664 root utmp
        minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.
# Specific rule for HOST_A
/var/log/syslog/HOST_A/*.log {
daily
size 5G
rotate 30
maxage 30
compress
}

# Specific rule for HOST_B
/var/log/syslog/HOST_B/*.log {
daily
size 5G
rotate 30
maxage 30
compress
}

And here is an example of what I have in my \var\log\syslog\host_a folder:

ls /var/log/syslog/HOST_A/ | wc -l

ls /var/log/syslog/HOST_A/ -lh

-rw------- 1 root root  416M Jun 20 23:59 HOST_A_2018_06_20.log.1.gz
-rw------- 1 root root   64M Jun 20 16:18 HOST_A_2018_06_20.log.2.gz
-rw------- 1 root root  1.5G Jun 21 23:59 HOST_A_2018_06_21.log.1.gz
<many files redacted>
-rw------- 1 root root  1.6G Sep  4 23:59 HOST_A_2018_09_04.log.1.gz
-rw------- 1 root root  1.5G Sep  5 23:59 HOST_A_2018_09_05.log.1.gz
-rw------- 1 root root  7.7G Sep  6 10:58 HOST_A_2018_09_06.log

So, you can see above, it's not removing the old archived .gz logs after 60 days. It's keeping them indefinitely. I've had to go in periodically and manually delete older files to keep size down. These files go from 6/20 to 9/6 (today), which is 104 days. I'm sure I have it misconfigured, but not sure quite what I'm missing. Any help would be appreciated.

Best Answer

You're using two mechanisms for daiy logfiles, and they're not cooperating with each other.

On the one hand you let syslog generate daily files, on the other hand you let logrotate rotate files. Logrotate will treat each daily file as a separate unique set of files (it doesn't consider HOST_A_2018_09_05.log to be related to HOST_A_2018_09_06.log) to rotate, so it never gets to five files files per pattern.

It's better to either not include the date in the filename, or let syslog do its own pruning of old files.

Related Solutions

Centos – Logrotate Mysql – No rotate happens

Threre is no rotation, because you are using -d option. From manual:

-d Turns on debug mode and implies -v. In debug mode, no changes will be made to the logs or to the logrotate state file.

I have two suggestions:

Upgrade OS to x86_64 if possible, because you have 2,5GB memory limit per process
Don't use -pPassword parameter with mysql for security reasons, it's better to use --defaults-extra-file=path_to_extra, which is readable only by root. When somebody, who has access to server execute ps -ef | grep mysql, it will see root password for database.

Here is my logrotate /etc/logrotate.d/mysql script for mysql on CentOS 5 (mysql Ver 14.12 Distrib 5.0.77, for redhat-linux-gnu (x86_64) using readline 5.1):

# If the root user has a password you have to create a
# /.my.cnf configuration file with the following
# content:
#
# [mysqladmin]
# password = <secret>
# user = <username>
#
# where "<secret>" is the password and <username> is user.
#
# ATTENTION: This /.my.cnf should be readable ONLY
# for root !
/var/log/mysqld.log {
        create 640 mysql mysql
        notifempty
        missingok
        postrotate
                # just if mysqld is really running
                if test -x /usr/bin/mysqladmin && \
                   /usr/bin/mysqladmin --defaults-extra-file=/root/mysql/logrotate.cnf ping &>/dev/null
                then
                   /usr/bin/mysqladmin --defaults-extra-file=/root/mysql/logrotate.cnf flush-logs
                fi
                /usr/bin/chcon -u system_u -r object_r -t mysqld_log_t /var/log/mysqld.log
        endscript
}

Nginx logrotate config

man logrotate

   dateformat format_string
          Specify  the  extension for dateext using the notation similar to strftime(3) function. Only %Y %m
          %d and %s specifiers are allowed.  The default value is -%Y%m%d. Note that also the character sep‐
          arating log name from the extension is part of the dateformat string. The system clock must be set
          past Sep 9th 2001 for %s to work correctly.  Note that the datestamps  generated  by  this  format
          must be lexically sortable (i.e., first the year, then the month then the day. e.g., 2001/12/01 is
          ok, but 01/12/2001 is not, since 01/11/2002 would sort lower while it is later).  This is  because
          when using the rotate option, logrotate sorts all rotated filenames to find out which logfiles are
          older and should be removed.

Can anyone please tell me if "dateext" is correct? I want the log filename to be something like "access.log-2010-12-04".

Insert a dateformat directive to your configuration file, something like this:

 /usr/local/nginx/logs/*.log {
    daily
    dateext
    dateformat -%Y-%m-%d
    ...

One more thing: Can I do the log rotation every day on a specific time (e.g. 11 pm)?

By default, logrotate is running via cron at 4 A.M:

/etc/cron.daily/logrotate

#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

You can move this file to somewhere and rename to logrotate.sh, then create a new file in /etc/cron.d/ as belows:

0 23 * * * root /path/to/logrotate.sh

Best Answer

Related Solutions

Centos – Logrotate Mysql – No rotate happens

Nginx logrotate config

Related Topic