|
Logwatch And Logrotate Configuration in debian Logwatch Configuration When you look after a group of machines it becomes increasingly difficult to watch the logfiles to see if anything suspicious is happening. Enter logwatch, a simple Perl script which will keep an eye on all the common logfiles syslog produces and mail you a summery. The summeries are simple enough to read and are sent by email once a day - they show things like available disk space, logins, rejected logins, commands ran by users via sudo and more. Installing Logwatch in debian #apt-get install logwatch Follow the on screen Instructions. For more details click here Logrotate Configuration The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files. Logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size. Normally, logrotate runs as a daily cron job. Installing Logrotate in debian #apt-get install logrotate The most obvious package which uses logrotate is Apache, the webserver, which by default keeps its logfiles in the directory /var/log/apache2. If you examine this directory you will see that there are a bunch of logfiles which are archived: [email protected]:~# ls -1 /var/log/apache2/
access.log
access.log.1
access.log.2.gz
access.log.3.gz
access.log.4.gz
access.log.5.gz
error.log
error.log.1
error.log.2.gz
error.log.3.gz
error.log.4.gz
error.log.5.gz
Here the current logfiles access.log, error.log are kept raw as are yesterday's logfiles (access.log.1 and error.log.1). Previous logfiles are compressed with gzip and only kept for five weeks.
The process that is in charge of compressing and rotating these logfiles is called logrotate and it is executed once per day upon Debian installations.
Logrotate files can be scheduled using cron.In /etc we have one folder called /etc/cron.daily which contains scripts which are executed once per day. Here you will find the logrotate driver script. Every day this script runs and examines two things:
This directory contains configuration files which other packages have installed. For example if you install apache2 the file /etc/logrotate.d/apache2 will be installed. Many servers such as Postfix the mailserver will install their own configuration file, and you can add your own. A typical logrotate configuration file looks like this: /var/log/apache2/*.log {
weekly
missingok
rotate 52
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
if [ -f /var/run/apache.pid ]; then
/etc/init.d/apache restart > /dev/null
fi
endscript
}
You can see several important things here. The most obvious is the list of files that will be matched by this configuration file:
/var/log/apache2/*.log { ...
}
After this we have a collection of configuration terms, a different one on each line. In the example above we have:
The upshot of this script is that any file which matches /var/log/apache2/*.log is rotated every week, compressed, if it's non-empty. The new file is created with the file mode of 640, and after the rotation has finished the server is restarted. If we wish to install a local service which creates a logfile we can cause it to be rotated very easily, just by adding a new logrotate configuration file.
Assuming we have a new service "web" which produces its output in /var/log/web/output.log we can cause this to be rotated every day with a script like this:
/var/log/web/*.log {
daily
missingok
rotate 7
compress
delaycompress
create 640 web web
sharedscripts
/etc/init.d/web restart
endscript
}
This will:
Default /etc/logrotate.conf file as follows# see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp, or btmp -- we'll rotate them here /var/log/wtmp { missingok monthly create 0664 root utmp rotate 1 } /var/log/btmp { missingok monthly create 0664 root utmp rotate 1 } # system-specific logs may be configured here
|
|