Sorry to keep bugging you all, but I'm having some slight problems with
this. I will paste some actual files in here for my situation.
First of all, I want the following file (/etc/logrotate.d/cisco_pix_515e) to
run daily. Here is the file:
/var/log/cisco_pix_515e/pix {
daily
postrotate
/usr/bin/killall -HUP syslogd; mv
/var/log/cisco_pix_515e/pix.1 /var/log/cisco_pix_515e/pix$(date +%Y%m%d)
endscript
}
That is the file I created by following Yehuda's instructions (see message
below). However, I don't think it is running. Logrotate is set as a daily
cron job as you all know I'm sure, but it doesn't seem to be running the
above file at all. When I forced it to run (logrotate -f
/etc/logrotate.d/cisco_pix_515e) it ran, but gave me errors. I think that
is because I left out the "rotate x" and the "create" directives, and after
adding them in it fixed the problem when I forced it to run. I didn't have
them initially because they are globally set in the logrotate.conf file (I
assume those get carried over to the included /etc/logrotate.d directory).
Here is my /etc/logrotate.conf file:
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
So, my question is, should my cisco_pix_515e file be running the way I have
it configured? I am considering moving it to the bottom of the
logrotate.conf file to see if that will help. And if it should work both
ways, which way is the preferred method?
Another question I have is regarding the "rotate" directive. My
understanding is that "rotate 0" will just delete the old log files instead
of rotating them, but if you leave out rotate all together, is that the same
thing? Also, if you have the global "rotate 4" above like I do, does that
mean my cisco logs will only be kept for 4 days or 4 months? I assume the
rotate count is based on how often you're rotating, i.e. if you're rotating
monthly, "rotate 4" will save 4 months worth and if you're rotating daily,
"rotate 4" will save 4 days worth. Is this assumption correct? Finally, in
my specific case, if I'm renaming the pix.1 file to pix+date, will the
"rotate 4" even affect me? I'm assuming it will just keep an endless supply
of logs until I delete them, which is what I want.
Thanks for the help,
Allen
-----Original Message-----
From: yehuda [mailto:yehudaat_private]
Sent: Thursday, August 29, 2002 12:10 PM
To: Allen Crawford
Cc: Log Analysis List (E-mail)
Subject: RE: [logs] PIX logging
to prevent your local4 logs from going to /var/log/messages, add the
following to your syslog.conf:
local4.none /var/log/messages
you can just tack it on the end of the line for /var/log/messages - for
example:
*.info;mail.none;authpriv.none;local5.none;local4.none /var/log/messages
if you want to rename your log file each night, you can call a script from
your logrotate.conf
( or for redhat, /etc/logrotate.d/syslog)
for example:
/var/log/messages {
daily
postrotate
/usr/bin/killall -HUP syslogd;
mv /var/log/messages.1 /var/log/messages$(date +%Y%m%d)
endscript
}
here's a quick n dirty script for deleting old log files:
------------- begin script
#!/bin/bash
oldstuff=$(date +%m|sed 's/^0//')
case $oldstuff in
1) oldstuff=10;;
2) oldstuff=11;;
3) oldstuff=12;;
*) oldstuff=$[$oldstuff-3];;
esac
rm /var/log/messages$[$(date +%Y)-1]$oldstuff*
rm /var/log/messages$(date +%Y)$oldstuff*
---------- end script
I haven't tested this script, so make sure to test it before putting it into
production.
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 09:14:30 PDT