Results 1 to 8 of 8

Thread: why does syslog not use logrotate

  1. #1
    Join Date
    Dec 2004
    Location
    Manchester
    Beans
    2,086
    Distro
    Ubuntu Mate 15.10 Wily Werewolf

    why does syslog not use logrotate

    most log files in /var/log seem to be rotated by logrotate and can be configured either in /etc/logrotate.conf or /etc/logrotate.d

    how ever syslog seems to have its own method, using /etc/cron.daily/sysklogd which uses the 'savelog' command.

    is there a good reason for syslog not to use logrotate? it seems odd to have two systems to do the same jobs, and two very different methods to configure the a similar task.

  2. #2
    Join Date
    Jan 2006
    Location
    United Kingdom
    Beans
    2,787
    Distro
    Kubuntu 6.06 Dapper

    Re: why does syslog not use logrotate

    The 'reason' is largely historical, specifically that Syslog is old - very old - and has been around for a lot longer than Logrotate. Hence, in order to keep on top of the management of log files Syslog has always been able to rotate/archives its own data....

    Along came Logrotate designed solely to manage the logs of those apps that didn't use Syslog. Most modern systems, by virtue of them running more and more processes/daemons log a great deal more than those of yesteryear and hence there is a requirement for both Syslog and Logrotate log management.

    To merge the functionality of two disparate packages would be difficult given the packages are designed for different things - it's just the log management function that is common to both.

    I agree though; it can make life more difficult than it could otherwise be.

    Mathew
    www.NewtonNet.co.uk - Now supporting IPv6!

    ~ Please don't use PM's to request assistance - post your query on the forum and share the discussion - if you've got a problem chances are you won't be the only one! ~

  3. #3
    Join Date
    May 2007
    Beans
    2

    Re: why does syslog not use logrotate

    This is most unfortunate for Ubuntu on laptops as the sysklod way of managing its log files creates a new file for me EVERYTIME I turn the machine on (which is usually *at least* twice a day. Therefore I only have available approximately the last 3 days of logging.

    Not good for spotting long term trends and doing analysis.

    I have now manually switched to logrotate. It should be automatic.

  4. #4
    Join Date
    Apr 2009
    Beans
    6

    Re: why does syslog not use logrotate

    Quote Originally Posted by hans.voss View Post
    This is most unfortunate for Ubuntu on laptops as the sysklod way of managing its log files creates a new file for me EVERYTIME I turn the machine on (which is usually *at least* twice a day. Therefore I only have available approximately the last 3 days of logging.

    Not good for spotting long term trends and doing analysis.

    I have now manually switched to logrotate. It should be automatic.

    Could you please post the logrotates syslog you created?
    Do you need to stop the syslogd before you let logrotate take care of syslog?
    also if you use logrotate for syslog, what would be the replacement for all the stuff you have in syslog.conf?

  5. #5
    Join Date
    Dec 2008
    Location
    Kent, UK
    Beans
    26
    Distro
    Ubuntu

    Re: why does syslog not use logrotate

    you can get rid of the crontab logrotation of syslog by replacing old fashioned "sysklogd" package by a lot newer "rsyslog" (preferred by Debian) or "syslog-ng" (was quite popular in RedHat for some time but I would not recommend it, we faced some serious issues with syslog-ng).

    Both, rsyslog and syslog-ng utilize the more modern logrotate way of rotating it's logs rather than the old sysklog way. But you may expect also more resources to be consumed (more features = more code = more memory used).

    Cheers and sorry to participate in an old discussion, hope this might help to someone.

  6. #6
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    11,499
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: why does syslog not use logrotate

    Current Ubuntu releases use rsyslog and /etc/logrotate.d/rsyslog.

  7. #7
    Join Date
    Dec 2008
    Location
    Kent, UK
    Beans
    26
    Distro
    Ubuntu

    Re: why does syslog not use logrotate

    Quote Originally Posted by SeijiSensei View Post
    Current Ubuntu releases use rsyslog and /etc/logrotate.d/rsyslog.
    strange: I've got an openVZ VPS on bhost.co.uk where I chose ubuntu server 11.04 i386 image, it had sysklogd preinstalled and when I installed rsyslog, it is having some serious issues, utilizing CPU over 100% (4 cores) so there was probably a good reason to use sysklogd and it may have been one of the tweaks from default installation.
    Last edited by cepal; November 16th, 2011 at 10:43 AM.

  8. #8
    Join Date
    Dec 2008
    Location
    Kent, UK
    Beans
    26
    Distro
    Ubuntu

    Re: why does syslog not use logrotate

    OK I found it in some other discussions; the problem is rsyslogd forks itself under "syslog" credentials and in the older kernel this user is not able to access kernel messages. Solution: comment line "$PrivDropToUser" in /etc/rsyslog.conf as I have very limited memory resources and can't afford two rsyslogd processes running as in the safer solution below.

    There is another solution mentioned here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573980

    for the case the comment of the article get's delete, here is cut and paste:

    --------------- The rest is the cut'n'paste (with some formatting) ---------------

    From: "Stefan K." <archilles at kh-webcenter dot_de>
    To:
    573980 at bugs dot debian dot_org
    Subject: Re: Bug#573980: rsyslog: klog does not work when dropping privileges
    Date:
    Wed, 08 Jun 2011 13:52:05 +0200

    I´m using a simple workaround for some time now. In addition to the normal rsyslog instance I run a second one. The "main" rsyslog doesn´t fetch kernel messages anymore and therefore can drop its root privileges. But it´s now listening on localhost for them.
    Code:
    $ModLoad imudp
    $UDPServerAddress 127.0.0.1
    $UDPServerRun 514
    $AllowedSender UDP, 127.0.0.1
    The second instance runs as root and has only a minimum configuration to forward kernel messages to the "main" instance. So it is not reachable from the local network and opens no unix socket(?).
    Code:
    $ModLoad imklog
    *.* @127.0.0.1:514
    
    /usr/sbin/rsyslogd -c5 -f /etc/rsyslog.conf.root -i /var/run/klogd-emu.pid
    It´s started after the "main" instance by adding it to /etc/init.d/rsyslogd and stopped by init on shutdown/reboot with SIGTERM. I expect this to be safer on a (exposed) server. Although this requires some additional resources (cpu power and main memory), I guess it should be negligible today
    Last edited by cepal; November 16th, 2011 at 10:56 AM.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •