I'd like to keep more than the default 5 log files at /var/log/auth.log. What do I need to change to keep x number of them?
Asked
Active
Viewed 7,285 times
2 Answers
7
This is done by logrotate, which as a daily cron job checks it's configuration files for log files that need rotating, compressing, removal, and takes the necessary action(s).
For /var/log/auth.log, which is actually a rsyslog managed file, as rsyslog dumps all authentication info (auth, authpriv facilities) in there (conf file: /etc/rsyslog.d/50-default.conf), the relevant configuration file for logrotate is /etc/logrotate.d/rsyslog.
On my 14.04 that contains:
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
So /var/log/auth.log is being rotated by this configuration.
To modify the behavior to keep desired number of rotated files, you can either change rotate parameter to your desired value (any positive integer, 0 will remove the old files instantly) in the { ... } section following the filename declaration, but this will change the behavior for all mentioned files, which might not be the desired behavior.
Instead, remove /var/log/auth.log from there, and make a separate entry for this by putting the following at the end:
/var/log/auth.log
{
rotate 10
weekly
missingok
notifempty
compress
delaycompress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
The above will rotate /var/log/auth.log, weekly, with compress-ion, not if it's empty (notifempty), and will keep 10 rotated copies, and the older ones that that will be removed.
Change these to meet your need, and also read man 5 logrotate.conf.
heemayl
- 91,753
-
1Cool. Thanks very much. That's a better answer than is here: http://askubuntu.com/questions/252583/log-file-size-or-age – aswine Oct 13 '16 at 19:34
-
-
@ElderGeek Haha, the grass is always greener on the other side, huh? I always thought i'm the slowest ;) – heemayl Oct 13 '16 at 19:37
-
:-) Your approach is likely more technically correct. I just looked and applied logic. – Elder Geek Oct 13 '16 at 19:40
0
Rotation schedules are defined in /etc/logrotate.d/rsyslog
If we examine the file we can see that auth.log is one of the files that are configured to a rotate 4, weekly schedule by default. Notice that syslog conversely is set to rotate 7, daily schedule. You can follow the format for syslog and create an entry that follows the same format that will give you the results you want I.E. rotate X and the schedule desired as in daily, weekly or whatever. Pay attention to the the postrotate directive as well as it specifies the action that happens after the whole log rotation has completed.
/var/log/syslog
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
sources:
man logrotate
Elder Geek
- 36,023
- 25
- 98
- 183
/etc/cron.daily/logrotate, I found/etc/logrotate.conf. There's arotateparameter in there. Is that the one? – aswine Oct 13 '16 at 19:11