Next: Files, Previous: RC File Examples, Up: Top
Using Meta Variables and a rotation algorithm it is possible to rotate logs so that a file rotated once is never touched again (unless deleted), making log rotation much more compatible with host-based intrusion detection schemes. Words beginning by @ are special Meta Variables used to create dynamic fields like file and directory names to use.
The following examples will use defaults defined in the previous section. These examples are valid in all monthly, weekly, and daily config files.
Example 1.
Use /var/log/rottlog/log.daemon and leave in new logfile events
from first day of actual month (logpart). After that, a script
will be called to restart syslogd (postrotate/endscript).
/var/log/rottlog/log.daemon {
postrotate
/sbin/killall -HUP syslogd
endscript
logpart "#1 day"
}
Example 2.
Same as Example 1, but archived logfile compression is postponed
to the next time rottlog will handle /var/log/rottlog/log.daemon
(delaycompress).
/var/log/rottlog/log.daemon {
postrotate
/sbin/killall -HUP syslogd
endscript
logpart "#1 day"
delaycompress
}
Example 3. Split log files; postrotate script will be run for each single logfile.
/var/log/rottlog/log.daemon,/var/log/rottlog/log.debug {
postrotate
/sbin/killall -HUP syslogd
endscript
logpart "#1 day"
delaycompress
}
Example 4.
Rotate 6 times all files in /var/log/apache dir (rotate).
Archived logfiles will not be compressed (nocompress) and they
will be stored in an apache-archives subdir of "packdir" defined in main
rc configuration file (storedir). If a logfile has size 0 it will
not be handled (notifempty).
/var/log/apache/* {
storedir apache-archives
rotate 6
notifempty
nocompress
}
Example 5.
Archive wtmp and lastlog files and touch new 0 byte files
with specified permissions, owner and group (create). Report
message will be sent to a different user from those specified in main
rc config file (touser). Logfile compression is postponed to
the next rotation cycle.
/var/adm/wtmp,/var/adm/lastlog {
create 644 root root
delaycompress
touser "admin@example.net"
}
Example 6.
Rotate twice all logfiles in /var/log called log.a*,
descending two levels of recursion to find files. Store compressed
logfiles in a dir called something like:
$packdir/<actual year>/<actual month>/<logfile basename>
This is done using META-VARIABLES in storedir parameter.
See Use of meta-variables, for details.
New 0 byte files will be created with specified permissions, owner and
group (create), and will be set with the append-only attribute
(append-only). Don't rotate logs if they are smaller than 1
Megabyte (size).
/var/log/log.a* {
# Descend two levels of depth to find files respecting criteria
# (beginning by log.a)
maxdepth 2
# Use of meta-variables. storedir will be expanded for each processed
# file (so i.e. will be used 2002/04/log.auth, 2002/04/log.apache, ....)
# to store compressed archived logs
storedir @YEAR/@MONTH/@BASENAME
# Make new dirs if necessary with specified permissions, owner and group
# ALERT: See README for more details.
createdir 0640 root loggers
# Rotate files with a 6 month period.
rotate 6
# Flag to use only with an ext2 filesystem. Add append-only attribute
# to logfile
append-only
# Don't rotate if logfile is smaller than 1 Megabyte
size 1M
}
Example 7.
Archive all logfiles stored in local /usr/local/apache/logs dir in
a remote NFS volume, mounted during rottlog's execution. Will be
used firstaction...endaction to mount nfs remote volume, and
lastaction...endaction to umount it. Archived logfiles are
stored in a dir available only after firstaction is performed and is defined
during rottlog's execution.
/usr/local/apache/logs/* {
# Action between firstaction and endaction tags will be performed before
# all logfiles are rotated/archived
firstaction
mount fserver.example.net:/LogArchive /mnt/LogVol
endaction
# Define a destination directory available only after firstaction
# is performed
storedir /mnt/LogVol/@YEAR/@MONTH/@BASENAME
# Permissions about newly created dir
createdir 0640 root loggers
notifempty
# After each log file is rotated following commands will be executed
postrotate
/usr/local/apache/bin/apachectl restart
/usr/local/bin/my-nice-script.sh
endscript
# Action between lastaction and endaction tags will be performed after
# all logfiles has been rotated/archived.
lastaction
umount /mnt/LogVol
endaction
}
Example 8. Archive all logfiles stored in the local
/usr/local/squid/logs/ directory onto tape. Before archive the
logfile, it will be saved in a temporary directory that will be removed
immediately after handled last logfile in this block.
/usr/local/squid/logs/* {
# Action between firstaction and endaction tags will be performed
# before all logfiles are rotated/archived
firstaction
mt -f /dev/nst0 eom
endaction
# Define a temporary storedir
storedir @TEMPDIR
# Define filename of logs to be archived
storefile @FILENAME.@WEEK@YEAR
# Don't archive file if it's empty
notifempty
# After each log file is rotated following commands will be executed
postrotate
star -cv -f /dev/nst0 @TEMPDIR/@FILENAME.@WEEK@YEAR
endscript
# Action between lastaction and endaction tags will be performed after
# all logfiles has been rotated/archived
lastaction
mt -f /dev/nst0 offline
endaction
}
Example 9. Archive log.daemon only on 15th day of the month, and
will compress the archived logfile next month.
/var/adm/log.daemon {
# These actions will be performed after archived each logfile
postrotate
/sbin/killall -HUP syslogd
endscript
delaycompress
# rottlog will handle this file only on 15th day of the month
period 15
}
Example 10. Rotate fetchmail.log five times before overwriting,
each three days, So the file fetchmail.log.1 will be overwrited each
15 days.
/var/log/fetchmail.log {
# Handle this file every three days
period 3d
# Handle logfile on a 5-period basis. So fetchmail.log.1 will be
# overwritten every 15 days
rotate 5
}
Example 11. Archive log.auth using different behaviour in different
year periods. If we are in summer (july to september), log.auth
will be archived on monday or friday at 22:00. If we are not in summer,
the file will be archived from monday to saturday at
01:00.
/var/adm/log.auth {
# rottlog will handle this file:
# monday or friday on 22:00 during summer (july to september)
# from monday to saturday on 01:00 otherwise
period mon+fri jul-sep 22:00, !jul-sep mon-sat 01:00
}
Example 12. Rotate log.auth with logrotate algorithm.
/var/adm/log.auth {
log_rotate
rotate 4
}
Example 13. Rotate log.auth using logrotate algorithm and
rottlog create parameter. This means that the new logfile will be
created with 0600 mode and owner stefano, group root.
/var/adm/log.auth {
log_rotate
create 600 stefano root
rotate 4
}
Example 14. Rotate log.auth using logrotate algorithm and
create parameter. This means that the new logfile will be created with
same permission and owner.group of just-rotated log.auth.
/var/adm/log.auth {
log_rotate
create_logrotate
rotate 4
}
Example 15. Store apache logs from many virtual hosts each odd days if it is not Summer, otherwise it will store logs only Wednesday and Saturday
/hosts/domain1.com/log/access_log,/hosts/domain1.com/log/error_log,\
/hosts/domain2.com/log/access_log,/hosts/domain2.com/log/error_log,\
/hosts/domain3.com/log/access_log,/hosts/domain3.com/log/error_log,\
/hosts/domain4.com/log/access_log,/hosts/domain4.com/log/error_log,\
/hosts/domain5.com/log/access_log,/hosts/domain5.com/log/error_log {
# @1 stays for: first token in path parsing
# @2 stays for: second token in path parsing
storedir @1/@2/log/@MONTH-@YEAR
# Create new directories if not yet existant with specified
# permissions, owner and group
createdir 0644 apache apache
# Defines archived filenames
storefile @BASENAME.@DAY.gz
# Create new 0-size logfiles in place of archived with specified
# permissions, owner and group
create 0644 apache apache
# Force archiving of logfiles:
# 1 - Monday, wednesday, friday and sunday if actual month is not
# between july and august
# 2 - Wednesday and saturday if actual month is between july and
# august
period !jul-aug mon+wed+fri+sun, jul-aug wed+sat
# Handle this file even if it is empty
ifempty
# Don't mail to administrator report for each log file handled
nomail
}
Example 16.
/var/adm/messages {
# Store compressed messages in $packdir/messages
storedir messages
# These actions will be performed before archiving the logfile
prerotate
/sbin/killall -STOP myprogram
endscript
# Rotate logs with extensions from .1 to .5
rotate 5
# Don't rotate log if it's empty
notifempty
}