2

I'm stumped with this one. Any help is much appreciated...!

Logs in /var/log/HOSTS/cacheflow_access_log/ are configured to archive to /var/log/HOSTS/archived/cacheflow_access_log/ and compress. These are pretty big files so should only be kept for 1 day so that Splunk or Sawmill can summarize their content.

The logs rotate and compress without issue, but the old compressed logs are not deleted. The verbose output of logrotate suggests this is an issue with glob. Is it looking in the live directory rather than the archive directory? If so, how can I fix this? If not, WTF is going on?!

Logrotate conf:

# logrotate configuration for syslog files

# global options
   rotate 1
   missingok
   daily
   compress
   ifempty
   dateformat -%Y%m%d
   dateext

---SNIP---

/var/log/HOSTS/cacheflow_access_log/* {
   daily
   # only keep 1 day of cacheflow as they're massive files
   maxage 1
   rotate 1
   olddir /var/log/HOSTS/archived/cacheflow_access_log
   postrotate
      invoke-rc.d proftpd restart 2>/dev/null >/dev/null || true
   endscript
}

Logrotate verbose output:

considering log /var/log/HOSTS/cacheflow_access_log/CF_5000_20120803_092129.log
log needs rotating
rotating log /var/log/HOSTS/cacheflow_access_log/CF_5000_20120802_120326.log, log >rotateCount is 1
Converted ' -%Y%m%d' -> '-%Y%m%d'
dateext suffix '-20120803'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
glob finding old rotated logs failed
renaming /var/log/HOSTS/cacheflow_access_log/CF_5000_20120802_120326.log to /var/log/HOSTS/archived/cacheflow_access_log/CF_5000_20120802_120326.log-20120803
running postrotate script

Running Debian Squeeze 2.6.32-5-686-bigmem

I know that there are unnecessary duplications in that config (e.g. rotate 1 doesn't need to be reiterated) - it was just to ensure that wasn't the issue causing this problem.

Thanks!

James
  • 143
  • 1
  • 7
  • A `postrotate` script would clean it up. First test if more than 1 file exists. If so, delete oldest. Something like: https://stackoverflow.com/a/47593062/503621 `find /var/log/HOSTS/archived/ -type f -printf '%T@\t%p\n' | sort -t $'\t' -g | head -n1 | cut -d $'\t' -f 2- | xargs rm` (Note - Not tested.) Really should use a full script, though. This doesn't test if there is only 1 file - would remove it. – B. Shea Oct 06 '19 at 18:01
  • Also, I see nothing in manual page or documentation that `olddir` is 'cleaned' by logrotate by itself. I think they leave that up to you. If I missed that info in docs let me know. – B. Shea Oct 06 '19 at 18:04

2 Answers2

0

For future readers, this line is in the logrotate.conf(5) docs:

Please use wildcards with caution. If you specify *, logrotate will rotate all files, including previously rotated ones. A way around this is to use the olddir directive or a more exact wildcard (such as *.log)

Walf
  • 401
  • 1
  • 6
  • 17
0

Perhaps it is failing because the log file already has the date in the name, and so it is a new name each day. Typically I see log files with a static name, and logrotate adds an extension to make them unique. logrotate may be looking for old files in the archive directory with a name of CF_5000_20120802_120326.log to delete them. It doesn't find any because the base name of each file is unique.

dsh
  • 303
  • 1
  • 6
  • I follow your thinking - thanks for the idea - but it also seems to be failing with the other archive subdirectories, e.g. /var/log/HOSTS/archived/local3 contains my switch syslogs and logrotate isn't deleting old files there either, e.g. 10.160.8.33-20120801.gz (the 20120801 will have been appended by logrotate). In the words of Catchphrase host Roy Walker, it's good, but it's not the one...! – James Aug 03 '12 at 04:46