Rotate /var/log/auth.log

seguridad_tic · January 9, 2019, 9:49am

Hi all

Tow weeks ago we found out it was impossible to commit, we realized the filesystem of / was at 100%. Investigating the source of the problem we saw the file auth.log was huge. Once we cleared it the filesystem came back to normal and we could commit.

I saw this thread to configure rotate of auth.log:

https://phabricator.vyos.net/R4:11ac001a47d20a6cec7b0d502bafc7f21956700a

I configured it 10 days ago but I just checked it’s not working and I have to clear the file again to avoid the same problem. My configuration in /etc/logrotate.d/auth is the next:

root@vyos-RJB:~# more /etc/logrotate.d/auth
{
weekly
rotate 6
size 10M
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}

Any idea why it’s not working?.

Thanks

hagbard · January 9, 2019, 5:05pm

That’s not the original one, is it? You can enforce logrotate via logrotate -f .

seguridad_tic · January 10, 2019, 7:26am

You are right hagbard, I missed one important line at the beggining of the script. I got this right now:

/var/log/auth.log
{
daily
rotate 6
size 10M
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}

I changed weekly by daily. If I force rotate I get this error:

root@vyos-RJB:/etc/logrotate.d# logrotate -f auth
Usage: /etc/init.d/rsyslog {start|stop|restart|reload|force-reload|status}
invoke-rc.d: initscript rsyslog, action “rotate” failed.
error: error running shared postrotate script for '/var/log/auth.log
’
root@vyos-RJB:/etc/logrotate.d#

So I removed the last 4 lines from the script and forced again, this time no errors. I can see now there is a file called /var/log/auth.log.1 but no auth.log file is created again after compressing and the system is continues writing in that file.

I had to remove auth.log.1 file, created manually auth.log and launch /etc/init.d/rsyslog reload

Regards

EDIT:

In order to avoid to remove files manually and reload syslog process the configuration that works is this:

/var/log/auth.log
{
rotate 6
daily
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/etc/init.d/rsyslog reload
endscript
}

system · January 12, 2019, 7:26am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.