The Method of Manually Scrolling Log in Linux System

Log scrolling log rotation is a common feature on Linux systems that preserves the necessary log content for system monitoring and troubleshooting while preventing too many logs from making a single log file too large.

The process of log scrolling is as follows: within a set of log files, the largest (oldest) log file is deleted, the remaining log file numbers are incremented in turn to replace the older log file, and the newer file replaces it as the current log file. This process can be easily automated, and the details can be fine-tuned as needed.

Use logrotate Command can perform log scrolling manually. This article will introduce the method of manual log scrolling and the expected results.

The examples presented in this article apply to Linux systems such as Ubuntu. For other types of systems, the log files and configuration files may differ, but the log scrolling process is much the same.

Why do you need to scroll the log

1 In general, there is no need to manually rotate the log file. The Linux system automatically scrolls the log every 1 day (or longer) or depending on the size of the log file. If you need to scroll the log to free up storage space, or to separate a part of the log from the current activity, this is easy to do, depending on the file scrolling rules.

1 Background introduction

After the Linux system is installed, many log files have been included in the scope of log scrolling. In addition, some applications also set scrolling rules for their own generated log files at installation time. 1 Generally speaking, the configuration file for log scrolling will be placed in the /etc/logrotate.d . If you want to know the detailed implementation of log scrolling, you can refer to this previous article.

During log scrolling, the active log is named with a new name, such as log.1, and the file previously named log.1 is renamed to log. 2, and so on. In this 1 set of files, the oldest log file (if named log. 7) is removed from the system. Parameters such as the naming of files during log scrolling and the number of log files retained are determined by the /etc/logrotate.d Directory, so you may see that some log files are scrolled only a few times, while some log files are scrolled 7 times or more.

For example, syslog might look like this after log scrolling (note that the comments at the end of the line only explain how the scrolling process affects the file name):

$ ls -l /var/log/syslog*
-rw-r----- 1 syslog adm 128674 Mar 10 08:00 /var/log/syslog <==  New document 
-rw-r----- 1 syslog adm 2405968 Mar 9 16:09 /var/log/syslog.1 <==  Previous  syslog
-rw-r----- 1 syslog adm 206451 Mar 9 00:00 /var/log/syslog.2.gz <==  Previous  syslog.1
-rw-r----- 1 syslog adm 216852 Mar 8 00:00 /var/log/syslog.3.gz <==  Previous  syslog.2.gz
-rw-r----- 1 syslog adm 212889 Mar 7 00:00 /var/log/syslog.4.gz <==  Previous  syslog.3.gz
-rw-r----- 1 syslog adm 219106 Mar 6 00:00 /var/log/syslog.5.gz <==  Previous  syslog.4.gz
-rw-r----- 1 syslog adm 218596 Mar 5 00:00 /var/log/syslog.6.gz <==  Previous  syslog.5.gz
-rw-r----- 1 syslog adm 211074 Mar 4 00:00 /var/log/syslog.7.gz <==  Previous  syslog.6.gz

You may find that all but the currently active log and the most recent scrolled log files have been compressed to save storage space. The reason for this design is that most system administrators only need to consult the latest log files, and the rest of the log files can be compressed and consulted when necessary, which is a good compromise.

Manual log scrolling

You can perform manual log scrolling by executing the logrotate command as follows:

$ sudo logrotate -f /etc/logrotate.d/rsyslog

It is worth mentioning that, logrotate Command use /etc/logrotate.d/rsyslog This configuration file, and through the-f parameter to implement "forced scrolling". Therefore, the whole process will be:

Delete syslog. 7. gz, The original syslog.6. gz is named syslog.7. gz. The original syslog. 5. gz is named syslog. 6. gz. The original syslog. 4. gz is named syslog. 5. gz. The original syslog.3. gz is named syslog. 4. gz. The original syslog. 2. gz is named syslog. 3. gz. The original syslog. 1. gz is named syslog. 2. gz. However, the new syslog file must not be created.

You can follow the following commands to ensure that the file belongs to the correct owner and permissions:

$ sudo touch /var/log/syslog
$ sudo chown syslog:adm /var/log/syslog
$ sudo chmod 640 /var/log/syslog

You can also add the following 1 line to the /etc/logrotate.d/rsyslog Among them, by logrotate To help you complete the above three commands:

create 0640 syslog adm

The contents of the entire configuration file are as follows:

/var/log/syslog
{
rotate 7
daily
missingok
notifempty
create 0640 syslog adm <==
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

The following is an example of manually scrolling the wtmp log recording user login information. Because of the configuration of rotate 2 in/etc/logrotate. d/wtmp, only two wtmp log files remain in the system.

Before scrolling:

$ ls -l wtmp*
-rw-r----- 1 root utmp 1152 Mar 12 11:49 wtmp
-rw-r----- 1 root utmp 768 Mar 11 17:04 wtmp.1

Execute the scroll command:

$ sudo logrotate -f /etc/logrotate.d/wtmp

After scrolling:

$ ls -l /var/log/wtmp*
-rw-r----- 1 root utmp 0 Mar 12 11:52 /var/log/wtmp
-rw-r----- 1 root utmp 1152 Mar 12 11:49 /var/log/wtmp.1
-rw-r----- 1 root adm 99726 Feb 21 07:46 /var/log/wtmp.report

It is important to know that no matter whether the log scrolling occurs automatically or manually, the last scrolling time will be recorded in the logrorate In the status file of.

$ grep wtmp /var/lib/logrotate/status
"/var/log/wtmp" 2020-3-12-11:52:57

Summarize