 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Fri, 15 Dec 2006 06:24:19 +1000 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Hi Troy,
> Michael Mansour wrote:
> > Hi,
> >
> > Over the past couple of days logrotate has started to compress my logs
once
> > they've been rotated.
> >
> > I haven't changed my logrotate config in any way recently, and I've
checked
> > the /etc/logrotate.conf file and the "compress" word is commented out.
> >
> > I checked my syslog dropfile:
> >
> > # cat /etc/logrotate.d/syslog
>
> /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/lo
g/
> > boot.log /var/log/cron {
> > sharedscripts
> > postrotate
> > /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null`
2> /dev/null
> > || true
> > endscript
> > }
> >
> > and there's also no place it says to compress.
> >
> > I'm using SL4.4 and it's happened on a few SL4.4 machines at the same
time.
> > I'm at a loss to work this one out.
> >
> > Any ideas from anyone what I'm missing?
> >
> > Michael.
>
> Hi,
> Are you sure it's logrotate doing the compression.
I'm trying to think of something else doing it, but the two machines it's
affecting are firewall servers and there's not much on them other than a
standard SL install.
> I say that because I was getting paged for someone's computer who's
> area's kept getting paged, and threatened to write a script to
> compress their logs for them. If there are several admins on the
> machine, it's possible someone did this. I would check and see if
Yeah I agree, but in this case I'm the only admin.
> the time stamp of the compressed log, is close to when logrotate
> run's. (on my machine that's 4:02, but that may vary by machine)
> That's just a guess, I could be completely wrong on that.
My logs:
-rw------- 1 root root 22552198 Dec 15 04:09 messages.1
-rw------- 1 root root 5968520 Dec 12 04:07 messages.2
-rw------- 1 root root 19694348 Dec 9 04:12 messages.3
-rw------- 1 root root 17561831 Dec 8 04:10 messages.4
-rw------- 1 root root 17949567 Dec 7 04:11 messages.5
-rw------- 1 root root 16757074 Dec 6 04:11 messages.6
-rw------- 1 root root 18875521 Dec 5 04:12 messages.7
and prior to my manual "gunzip messages.1.gz" command:
-rw------- 1 root root 1761370 Dec 15 04:09 messages.1.gz
So it seems that logrotate is doing this as the timestamp on the gz and the
file within the gz are the same.
Looking here:
[root@server logrotate.d]# grep compress *
linuxha:compress
mgetty: nocompress
ppp: compress
psacct: compress
psacct: delaycompress
radiusd: compress
radiusd: compress
radiusd: compress
radiusd: compress
radiusd: compress
radiusd: compress
rkhunter.log: compress
squid: compress
squid: compress
squid: compress
vsftpd.log: nocompress
and:
[root@server logrotate.d]# grep message *
syslog:/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /v
ar/log/boot.log /var/log/cron {
and:
[root@server logrotate.d]# cat syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/
boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null
|| true
endscript
}
Hmm... I just realised that the most recent update I made was to the linuxha
software which added this logrotate script:
[root@server logrotate.d]# head linuxha
compress
missingok
/var/log/cluster/cldaemon-*.log {
copytruncate
rotate 5
daily
size=100k
}
The "compress" command there is actually interpreted by logrotate as a
global compress statement, since the main .conf has the "include" and just
reads through them all.
What should be happening here is the "compress" (and missingok) words go
into the { braces }.
I'll make this change and report the problem to the author. Will monitor
tomorrow and see if it's resolved.
Regards,
Michael.
|
|
|
