rsyslogd service, Logrotate log cutting

rsyslogd
log file format
The basic log format contains the following four types
of events: 1. The event generated by the event
2. The host name of the server where the event occurred
3. The service name or program that generated the event
4. The specific information of the event


/etc/rsyslog.conf configuration file
authpriv.* /var /log/ secure #Service
name [connection symbol] Logging location #Authentication
related services, all log levels are recorded in /var/log/secure




Logrotate demo   http://huoding.com/2013/04/21/246

Obviously, Logrotate runs on CRON, and its script is "/etc/cron.daily/logrotate":

#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0
When actually running, Logrotate will call the configuration file "/etc/logrotate.conf":

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    minsize 1M
    create 0664 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.
The settings here can be understood as the default value of Logrotate. Of course, we can place our own configuration file in the "/etc/logrotate.d" directory to override the default value of Logrotate.


Save a week's Nginx log compressed file by day, the configuration file is "/etc/logrotate.d/nginx":

/usr/local/nginx/logs/*.log {
    daily
    dateext
    compress
    rotate 7
    sharedscripts
    postrotate
        kill -USR1 `cat / var/run/nginx.pid`
    endscript
}
If you can't wait for CRON, you can manually execute the following command:

shell> logrotate -f /etc/logrotate.d/nginx
Of course, it is best to verify it through the Debug option before the official execution , which is also important for debugging:

shell> logrotate -d -f /etc/logrotate.d/nginx
BTW: There are similar Verbose options, so I won't say much here.

Logrotate Questions

Question : What is the role of sharedscripts?

You may have noticed that I used the asterisk wildcard when declaring the log file in the previous Nginx example, which means that there may be multiple log files involved, such as: access.log and error.log. Having said that, you may understand that the role of sharedscripts is to execute a script uniformly after all log files are rotated. If this directive is not configured, the script will be executed once after each log file is rotated.

Question: What is the difference between rotate and maxage?

They are all used to control how many log files are saved, the difference is that rotate is based on the number of units, and maxage is based on the number of days. If we rotate the log by day, then the difference between the two is not much.

Question: Why is the log generated at four or five in the morning?

As we said earlier, Logrotate runs based on CRON, so this time is controlled by CRON. Specifically, you can query CRON's configuration file "/etc/crontab", and you can manually change it to execute at a time such as 23:59:

SHELL=/ bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
59 23 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
If you are using a new version of CentOS, the configuration file is: /etc/anacrontab.

Question: How do I tell the application to reopen the log file?

Taking Nginx as an example, the USR1 signal is sent through the postrotate command to notify Nginx to reopen the log file. But other applications do not necessarily follow this convention. For example, MySQL uses flush-logs to reopen log files. What's more, some applications do not provide a similar method at all, and if you want to reopen the log file, you must restart the service, but for high availability, this is often unacceptable. Fortunately, Logrotate provides an instruction called copytruncate. This method uses a method of copying and then clearing. The operation handle of the log file has not changed during the whole process, so there is no need to notify the application to reopen the log file, but it is necessary to pay attention to The thing is, there is a time lag between copying and flushing, so some log data may be lost.

BTW: MySQL itself already includes a script called mysql-log-rotate in the support-files directory, but it is relatively simple. For more detailed log rotation, see "Rotating MySQL Slow Logs Safely".

…

Friends who are familiar with Apache may remember cronolog, but Nginx does not support it. Some people save the country through the mkfifo command curve, first create a pipeline for log files, and then rotate with cronolog. Although there is no problem in theory, there is a discount in efficiency. In addition, there is a simplified version of the tool savelog under Debian/Ubuntu, you can take a look if you are interested.