Foreword
Courses of this blog to explore a range of topics originally for the blue logrotate log processing and automation, details and deep-seated principles that are appreciably cut, is a technical course was delayed Bowen. Now that talk is very straightforward, is a technical course was delayed Bowen, and moral crusade as if holding a banner blog being guided or open source tools are not open source like kidnapping without reply.
Here is the dividing line, no nonsense, directly into the body, the curriculum are interested, want in-depth understanding of logrotate friends can end the course introduces :)
Concepts log cutting, necessity and basic ideas
1.1 What is a log cut
Refers to cutting the log when the log file or application system reaches the set trigger condition (e.g., according to a certain time period: daily, according to the size: 500MB), subjected to dicing / division processing, processing similar truncation, relatively large capacity of the original log file "stolen" for another dump a retention archive log file, the log generated after this moment, continues to be output to the file header is reset to 0 in the log file.
Part of the change : the number of the capacity of the log file (thin small) log file (extra history log to be cut under a)
Unchanging part : log file name unchanged
In addition, after a period of time, we also need to remove old time log file, the entire process is also known as log rolling (log rotation).
1.2 Why should log cutting
Online applications (including the operating system) in the long run, the process will generate a lot of logging, is often useful for system administrators or application developers to file an application record information, such as what is being implemented, what went wrong and a series of information.
With the accumulation of logging, the log files increases, over time, will have the following drawbacks:
- Log files take up more and more hard disk space
- The log file is too large to view the contents after reaching the GB level is too time consuming to keep track of errors is very inconvenient
A chestnut:
The basic idea of cutting 1.3 log
Log cutting basic needs :
-
Application level
The cutting process does not affect the normal operation of the application (the application can not be disabled to split logs)
-
Data Plane
Log is not lost, missing or little log within an acceptable range
The cutting process does not affect the continued application of the output log (log file name unchanged)
-
Log capacity level
New log file empty file is newly recorded from the beginning (header and capacity are reset) after cutting, to facilitate subsequent query using
-
Log archiving level
After cutting the old log convenient archive compression processing (file name plus date suffix, etc.)
Old log divided in accordance with the retention period delete poll
-
Management and maintenance level
Automation periodically, again and again
From the above requirements, to meet the most important prerequisite for the application of non-stop use , the can designed two basic ideas logs cut :
-
Ideas 1 - Rename remove old log files, while generating a new log file (the file name is consistent with the previous cut)
Mv existing log file to another, simultaneously with the automatic generation of a file name (name of the log file before mv) new log file
Log file names change , but the need to ensure that the application can point to the new file handle
Of course, a new log file started to write from zero, the log file weight-loss success!
-
Ideas 2 - Copies and rename an existing log file, while the existing capacity of the log file contents emptied
Cp copy of the existing log file to another file name, but very quickly the existing log files emptied
But does not change existing log file handle (there will be more detailed in section 3.1.1).
Filenames and handles such log files are not changed, but the contents have been emptied, also continues to write from zero, weight loss success!
Finally, the task requires a combination of regular, periodic timing of the execution log cutting applications, automation
2. Common log cutting plan
2.1 custom scripts for log cutting
Custom scripts cutting logs, core principle is mv existing log file and creates a new log file, combined with kill -USR1PID to reload application in order to obtain the file handle new application log files, the log can be output to a new log file.
note:
- 这里说的新日志文件的文件名没有变化,但本质上是一个全新的文件。
- kill
脚本切割nginx日志栗子:
#/bin/bash
bakpath='/home/nginx/logs'
logpath='/var/log/nginx/logs'
if [ ! -d $bakpath/$(date +%Y)/$(date +%m) ];then
mkdir -p $bakpath/$(date +%Y)/$(date +%m)
fi
mv $logpath/access.log $bakpath/$(date +%Y)/$(date +%m)/access-$(date +%Y%m%d%H%M).log
#给nginx发送一个信号量,让nginx重载,重新生成新的日志文件
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid`2.2 应用层面结合log4j切割日志
log4j是apache针对java应用开源的一套日志框架,java应用可以通过加载指定的jar包,结合配置文件,从应用本身规范日志输出的格式,级别等,同时可附加实现日志的切割处理。
切割的触发条件可以是时间周期和日志大小两个维度。
log4j一般需要开发人员的协助,最好由开发人员直接实现。
2.3 基于第三方开源工具切割日志
2.3.1 logrotate
linux系统自带的日志处理工具,功能非常强大,可以进行日志的切割,压缩,滚动删除等处理。
自身基于系统的crontab来运行,无需手动配置。
2.3.2 cronolog
cronolog开源的日志处理工具,可以实现自动的按规则生成周期性的日志文件,需要单独安装后配置使用。
2.4 日志切割方案的对比与选型
| 对比方案 | 部署工作量 | 对应用的亲和性 | 功能性 |
|---|---|---|---|
| 脚本 | 前期工作量较大<br />底层逻辑都需要自己逐一实现<br />功能完善的脚本开发量较大 | 一般 | 看脚本本身 |
| log4j | 较小,加载jar包进行配置即可 | 好 | 较为强大,但不支持日志压缩 |
| 第三方工具 | 较小仅仅需要配置 | 较好 | 强大 |
这里的第三方工具仅仅针对logrotate而言(其它工具可以参考对比因素来对比)。
选型:
-
多用拿来主义,避免自己重复造轮子(特指自己巴拉巴拉一股脑式写脚本)
-
优选应用层面结合log4j方案
建议应用层面可以应用log4j的就应用log4j,结合第三方工具进行日志压缩和周期性删除处理
-
备选(次选)开源第三方工具--logrotate
不便于应用log4j的情况下推荐使用第三方工具,尤其是logrotate,系统自带,开箱即用--次选方案
3. logrotate实战运用
3.1 logrotate的工作原理
3.1.1 核心原理
文件句柄
操作系统为每一个进程维护了一个独立的打开文件表(fdtable),进程每新打开一个文件,表中就会增加一个条目。
-
文件描述符是一个整数,代表fdtable中的索引位置(下标),指向具体的struct file(文件句柄/文件指针)
-
文件句柄(文件指针)对应着文件的详细信息,存储着文件的状态信息、偏移量和文件的inode信息等。
-
文件句柄中存储的inode信息,对应到应用进程正在写的一个具体文件
-
每一个文件描述符会与一个打开的文件(文件句柄)相对应
- 应用进程通过fdtable中的文件句柄(文件指针)来定位到它要写操作的文件
综上所述,文件句柄可以唯一界定操作系统中一个特定的文件。
推理:
文件句柄不包括文件路径和文件名,因此文件路径和文件名的变化,不会引起对文件句柄的修改,进而不会引起应用进程对某一特定文件(文件句柄的具体指向)的写操作
可以通过实验来验证上述推理结论。
切割日志过程
文件句柄的存在,决定了logrotate进行日志切割时候,存在以下两种方案:
- ##### 切割后使用新的文件句柄--create方式
create方式也是默认的方案,它的核心思路是重命名原日志文件,并创建新的日志文件。create方案是在mv+create 执行完之后,通知应用重新在新的日志文件写入即可。
那么如何通知应用程序重新打开日志文件,从而往新的空日志文件中写入呢?
简单粗暴的方法是杀死进程重新打开。但是这样会影响在线业务,不可取!
于是有些程序提供了重新打开日志的接口,以Nginx为例,是通过发送USR1信号给Nginx进程来通知Nginx重新打开日志文件的。也存在一些其他方式(如IPC),前提是程序自身要支持。
-
切割后继续沿用旧的文件句柄--copytruncate方式
不过,有些程序并不支持create方式,压根没有提供重新打开日志的接口;而如果粗暴地重启应用程序,必然会降低可用性,为此引入了copytruncate的方案。
这个方案的思路是把正在输出的日志拷(copy)一份出来重命名,再清空(trucate)原来的日志。从结果上看,旧的日志内容存在滚动的文件里,新的日志输出到被清空的文件里。
注意事项
以上两种方案中,能用默认的create方案就不用copytruncate,why?
-
数据丢失风险
- 耗时太久风险
这里关于create和copytruncate方式的具体执行过程,以及注意事项,包含了较为关键的技术细节。如若以上描述不足以理解,可以关注课程https://edu.51cto.com/sd/3f309, 接受免费试看。
3.1.2 定时任务执行
logrotate自身已经被集成到系统定时任务中,基于CRON来运行,默认每天运行一次。
定时任务:
/etc/cron.daily/logrotate#!/bin/sh
/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0要点:
/usr/sbin/logrotate 执行文件
-s /var/lib/logrotate/logrotate.status 记录执行后的状态
/etc/logrotate.conf 运行时加载的配置文件
问题: cron.daily究竟是在每天什么时间执行的呢?
Logrotate是基于CRON运行的,所以这个时间是由CRON控制的,具体可以查询CRON的配置文件/etc/anacrontab(老版本的文件是/etc/crontab)
cat /etc/anacrontab
# /etc/anacrontab: configuration file for anacron
# See anacron(8) and anacrontab(5) for details.
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# the maximal random delay added to the base delay of the jobs
RANDOM_DELAY=45 #这个是随机的延迟时间,表示最大45分钟
# the jobs will be started during the following hours only
START_HOURS_RANGE=3-22 #这个是开始时间段,3点-22点
#period in days delay in minutes job-identifier command
1 5 cron.daily nice run-parts /etc/cron.daily
7 25 cron.weekly nice run-parts /etc/cron.weekly
@monthly 45 cron.monthly nice run-parts /etc/cron.monthly1 5 cron.daily
第一个是Recurrence period 第二个是延迟时间(the base delay,基本的延迟时间)
总的延迟时差是:基本延迟+随机延迟=5~(5+45),即5-50 min
开始的基准时间:3-22点,不出意外,就是3点开始
所以cron.daily会在3:00+(5,50)这个时间段执行
定时任务执行时间,也可以通过日志和处理过的日志文件两种方式来确认。
3.1.3 logrotate执行过程
logrotate自动化处理日志的过程如下:
-
Redhat系列系统缺省的cron 在每天的3:00+(5,50)这个时间段唤醒触发cron.daily下定义的logrotate定时任务
-
logrotate加载默认的配置文件/etc/logrotate.conf,定位判断需要被处理的日志文件
-
基于配置文件的相关参数,对匹配到的日志文件执行日志切割、压缩、转储即周期性删除处理
-
完成后产生过程状态记录文件 /var/lib/logrotate/logrotate.status
实战运用中,我们是先设置好logrotate的相关参数和任务,然后等待cron来唤醒定时任务触发执行。
注意:
- 以上原理部分是最为重要的部分,深入理解了原理之后,对于配置文件的解读,和生产环境的实际落地运用,以及遇到实际问题的有效解决,帮助作用是显而易见的。
- 这部分内容看似简单,实际存在较多的细节和要点,老手也不一定能把它们理顺讲透,这里推荐关注课程https://edu.51cto.com/sd/3f309, 接受免费试看。
3.2 logrotate的配置文件解析
理解了原理过程,我们再来梳理一下logrotate的配置文件。配置文件分为全局默认配置/etc/logrotate.conf和/etc/logrotate.d目录下的自定义配置。
配置的有效性和优先级:
logrotate加载配置时,会针对/etc/logrotate.d目录下的每个自定义配置,与全局默认配置/etc/logrotate.conf进行合并渲染,如存在相同项或者冲突项,以自定义配置为准:
相同项:
全局配置和自定义配置中配置了相同的参数key,但value不同的情况
冲突项:
全局配置和自定义配置中存在的冲突项
3.2.1 全局默认配置文件
全局配置文件:
cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly #每周轮转一次
# keep 4 weeks worth of backlogs
rotate 4 #保留四个被切割转储后的日志文件(即备份的老日志文件)
# create new (empty) log files after rotating old ones
create #rotate后,创建一个新的空文件,默认的create方式处理
# use date as a suffix of the rotated file
dateext # 日志文件切割时添加日期后缀,后缀格式YYYYmmdd,切割后的文件名如xxx.log-20200202
# uncomment this if you want your log files compressed
#compress #默认切割转储后的日志是不压缩的
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d #编程中常用的include大法,该目录下的配置文件都会被引用生效
# no packages own wtmp and btmp -- we'll rotate them here #顺带rorate两个孤儿日志
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.3.2.2 自定义配置文件
默认配置文件中已经通过include /etc/logrotate.d大法指明了自定义配置文件的路径,因此在这个路径下定义细化配置即可。
例1: create方式切割nginx日志
cat /etc/logrotate.d/nginx
/var/log/nginx/*.log { # 可以指定多个路径,多个路径通过空格或换行符分隔,支持正则匹配
daily # 日志轮询周期,weekly,monthly,yearly
rotate 30 # 留存30份切割后的旧日志,以天为周期,即保存30天旧日志,超过则删除
size +100M # 超过100M时分割,单位k,M,G,优先级高于daily
compress # 切割后立即对老日志进行gzip压缩,也可以为nocompress
dateext # 日志文件切割时添加日期后缀
missingok # 如果没有日志文件也不报错
notifempty # 日志为空时不进行切换,默认为ifempty
create 640 nginx nginx # 使用该模式创建新的空日志文件,mode,user和group参数可以省略
sharedscripts # 所有的文件切割之后再一次性执行下面脚本
postrotate
if [ -f /var/run/nginx.pid ]; then #脚本符合shell语法和逻辑即可
kill -USR1 `cat /var/run/nginx.pid`
fi
endscript
}其它较为常用的配置参数:
nocopytruncate copy日志文件后不截断不清空日志,仅仅备份用
nocreate 不建立新的日志文件,用于仅仅只需要对应用日志进行压缩和轮询删除的场景
errors address 遇到错误时信息发送到指定的Email 地址
olddir directory 转储后的日志文件放入指定的目录,必须和当前日志文件在同一个文件系统
prerotate 在logrotate转储之前需要执行的指令,例如创建一个转储的日志目录
rotate count 指定日志文件删除之前转储的次数(个数),0指没有备份,5指保留5个备份
maxage 以单个转储时间周期为计数单位来保留老旧日志,如每天处理,代表保留多少天的老旧
日志,此时与rotate count无区别
dateext 使用当期日期-YYYYmmdd作为转储后的日志文件附加后缀,不配置则以数字1到n作为后
缀,n为rotate n中的配置参数
dateformat .%s 配合dateext使用,紧跟在下一行出现,定义文件切割后的文件名附加后缀,必须配合
dateext使用,只支持 %Y %m %d %s 这四个参数
其它可参照man文档,以及/etc/logrotate.d/下系统自带的配置文件来研究。
注意事项:
logrotate本身是通过系统定时任务cron来在每天的凌晨3-4点之间某个时间点触发,至于logrotate它自己被触发后,会不会对我们指定的日志文件进行预期的切割处理,还取决于我们对logrotate执行动作的条件约束,更多细节可以关注课程https://edu.51cto.com/sd/3f309, 接受免费试看。
3.3 实战运用logrotate进行自动化日志切割和压缩
应用举例:
- create方式切割nginx日志
cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 60
compress
notifempty
dateext
sharedscripts
postrotate
if [ -f /var/run/nginx.pid ];then
kill -USR1 `cat /var/run/nginx.pid`
fi
endscript
}-
copytruncate方式切割tomcat catalina.out日志
- 对tomcat已经切割的localhost日志进行压缩处理
注意事项:
以上是典型的生产环境应用举例,配置层面本身不难,重要的地方在于实际运用后会发现并非一切如预期所愿,需要掌握必要的技巧才能用好。细节部分可以关注课程https://edu.51cto.com/sd/3f309, 接受免费试看。
4. 生产环境使用技巧及避坑指南
实际在生产环境运用中,还存在一些高阶技巧需要掌握,甚至说部分地方存在一些坑需要我们明确并避开它们。这里列举一些典型的情况,感兴趣的朋友可以关注课程https://edu.51cto.com/sd/3f309, 接受免费试看,相信您会有不一样的收获。
4.1 如何只选择logrotate部分功能
4.2 如何调试logrotate
4.3 如何确认执行结果
4.4 如何提高日志切割的频度
4.5 copytruncate方案下日志丢失问题解决
copytruncate的原理决定了理论上分析,日志丢失不可避免。
日志丢失的程度参考:
https://incoherency.co.uk/blog/stories/logrotate-copytruncate-race-condition.html
I wrote a small C program to test it (outputting increasing numbers as fast as it could) and, indeed, 4 million lines were lost during the course of the log rotation.
要么规避,要么解决。
4.6 copytruncate日志后还出现硬盘空间告警怎么办
附录: 课程介绍
背景
Based on some of his own experiences logrotate understanding and practical application of the production environment, and of course find some seemingly simple process, actually have very strong principles and logic to support. So there is a summarized initiation of a system on their ideas, thinking about the last course or to share output, fiddle while, on the basis of the original idea, added some conceptual and schematic output, recently regarded shelves.
Total course infinitely close to five hours , or have a certain cost. The main part of the removal of here, chapter with an original design, on the one hand there is a certain basis and in conjunction with article omitted the details of friends can understand, I believe will still gain something after reading, without prejudice to further their understanding of logrotate, and the other On the one hand, should understand this article a little difficulty, you can also consider to look at the course, infinitely close to 5 hours of classes a lunch prices, from concept to principle, from the configuration to explain under actual use of high-end applications, as well as the production environment tips, guides, and so avoid the pits, a basket design, believe you will have different harvest.
Course Overview
Logrotate course to the main line, highlighting the practical application of, in-depth explanation automate all aspects of processing applications logs (including log cutting / Log polling, log compression, log periodic delete, etc.), are taught the entire automation system log.
Syllabus, there are pictures and the truth:
Course Link :https://edu.51cto.com/sd/3f309