Home » Categories » Linux

logrotate Log Rotate Configuration

Article Number: 647 | Rating: Unrated | Last Updated: Sun, Jan 12, 2020 12:22 AM

Some older versions of rsyslog may have trouble resuming on a log file after the log rotate has run. We can force rsyslog to pick up the new log file by adding a postrotate command in logrotate. This will restart rsyslog and delete the state files so it will continue reading from the beginning of the newly created file.

Log Rotate Setup

1. Open the logrotate configuration file

Configuration files are located in this directory on most linux distributions

cd /etc/logrotate.d

Find the appropriate configuration file and open it with a text editor. In this example, we’ll use the nginx log files.

sudo vim nginx

You will see the default configuration given below

/var/log/nginx/*.log {
        daily
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 640 nginx adm
        sharedscripts
        postrotate
                [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
        endscript
}

All the commands written between the postrotate and endscript gets executed after each log rotation. In this example, we can see that nginx is restarted. We will add additional commands here soon.

2. Find your rsyslog state files

Find the files rsyslog writes to track the state of the files are monitoring. We will configure the postrotate command to delete these configuration files so rsyslog starts fresh at the beginning of the new log file. If you used the configure-file-monitoring script, it will include the alias you passed as a parameter.

ls /var/spool/rsyslog/stat-*

Here we can see two state files for nginx

/var/spool/rsyslog/stat-nginx-access
/var/spool/rsyslog/stat-nginx-error

3. Add postrotate commands

Add the following commands in the postrotate section to restart rsyslog and delete the state files. Replace the path given to the rm command with the path to the rsyslog state files found above. In this example, we are deleting the state files for nginx.

rm /var/spool/rsyslog/stat-*
service rsyslog stop
service rsyslog start

Advanced Log Rotate Options

Troubleshooting Your Log Rotate Configuration

If you don’t see any data show up in the verification step, then check for these common problems.

  • Wait a few minutes in case indexing needs to catch up
  • If you see duplicate events send to Loggly, check to see if you accidentally deleted the wrong state files. Also check to make sure a new file of zero length is created after the log rotation runs.
  • Make sure the state files are deleted and recreated after rsyslog restarts
  • Troubleshooting Rsyslog if the files are being written but not being sent to Loggly
  • Search or post your own question in the community forum.
Posted - Sun, Jan 12, 2020 12:22 AM. This article has been viewed 3094 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
SSL HowTo: Decode CSR
Viewed 4893 times since Mon, Feb 18, 2019
debian Install a newer kernel in Debian 9 (stretch) stable
Viewed 1715 times since Sun, Sep 23, 2018
SYS: Configure a local repository. local repo
Viewed 10854 times since Mon, Oct 29, 2018
15 Linux Yum Command Examples – Install, Uninstall, Update Packages
Viewed 3248 times since Thu, Oct 25, 2018
RHCS6: Quorum disk and heuristics
Viewed 4095 times since Sun, Jun 3, 2018
Linux - How to monitor memory usage
Viewed 2985 times since Fri, Jun 8, 2018
Enabling automatic updates in Centos 7 and RHEL 7
Viewed 2394 times since Wed, Oct 17, 2018
RHEL: Reserved space on a ext2/ext3/ext4 filesystem
Viewed 4272 times since Sun, May 27, 2018
Fix rpmdb: Thread died in Berkeley DB library
Viewed 20962 times since Fri, Feb 14, 2020
Linux - How to get IP and MAC address of ethernet adapter in Linux
Viewed 2621 times since Fri, Jun 8, 2018