-1

This is likely to elicit calls to close as it's asking for opinions, but I don't know how or where to ask in a more appropriate manner. Apologies in advance if this offends - it's not intended that way, and there is an actual question, which is "what am I going to break if I do this, and is it worth it?"

I hate the way that the /var/log directory gets untidy; there are log files, old log files, and directories also containing both of these. I'm considering using logrotate and rsyslogd to ensure that the directory looks something like this:

chrony
mail
cron
messages

all of which are directories. Each directory would contain a file and a directory:

chrony.log
history

Where logrotate is used to move old logs into the history directory, and the current log is the only file in each directory. I think that this would make it easier to read the directory, to find the relevant log file, and is just, well neater.

I suspect that certain logs are not easily moved - is "lastlog" expected to be in /var/log? Am I going to break anything horribly if I do this?

(I tend to the idea that in general a directory should either be a leaf node or a branch, so I don't like having /etc/httpd.conf and /etc/httpd.conf.d - why not just /etc/httpd.conf.d containing base_config and other files).

Is this all made moot by splunk, I wonder - or by other offline log storage/forwarding?

Graham Nicholls
  • 291
  • 2
  • 5
  • 13
  • Feel free to do what suits you but be aware that pretty much everyone else works with what they have. What they have, is pretty much the same as everyone else. There is a whole internet full of people who write interesting and useful stuff based on what everyone has. Being different in this case probably isn't a good thing. – user9517 Jun 05 '19 at 13:08
  • Everyone *isn't* the same. Some logs are written to /var/log directly, some to /var/log/. Some distros use the daemon name, some store them in the base directory. If all logs were written via syslog - as they ought to be - there would be no problem. Given that logs are written either by a logger like rsyslog, or directly, with a config file (ugh!), or (even ughgier!) to a hard-coded file, I realise that some config would be necessary, but don't see what would break, nor why being _organised_ is a bad thing. – Graham Nicholls Jun 05 '19 at 13:37
  • They are the same - /var/log/ is the same for everyone using . yada yada yada ... – user9517 Jun 05 '19 at 13:46
  • No, it's not. It's distribution and site - dependent. It's arbitrary, and there's no standard, which is, I suppose, what I'm suggesting. – Graham Nicholls Jun 06 '19 at 07:21

1 Answers1

2

Yes, log files and config files are a mess. That's what happens every software project invents their own. Then opinionated sysadmins package them up into Linux distros, and doing unprivileged logging sometimes requires a directory with special permissions.

I'm not going to enumerate everything that you would have to change to restructure /var/log arbitrarily, but here are some categories:

  • Configuration files logging there, including logrotate.
  • Compiled in paths. I don't know where exactly in the auth stack /var/log/lastlog is configured.
  • Security build including file permissions and SELinux. Something is labeling logrotate as lastlog_t on CentOS.
  • Documentation of the differences from the distro and the Linux FHS. Just because FHS says /var/log/messages is the syslog file doesn't make it happen, but it is documented precedent.

Do what you want. Personally, I'm not going to mess with it when I can grep through files recursively. Or search a systemd journal. Or even better, forward logs to a central search engine.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34