How to manually scroll logs in Linux system

Log rotation is a very common function on Linux systems. It retains necessary log content for system monitoring and troubleshooting while preventing too many logs from causing a single log file to be too large.

The log rolling process is as follows: among a group of log files, the log file with the largest number (oldest) will be deleted, and the remaining log files will be numbered successively and replace the older log files, and the newer file will replace it as the current log file. This process can be easily automated and the details can be fine-tuned as needed.

Use the logrotate command to manually perform log rotation operations. This article will introduce the method of manual log rolling and the expected results.

The examples in this article are applicable to Linux systems such as Ubuntu. For other types of systems, the log files and configuration files may be different, but the log rolling process is similar.

Why do we need to roll logs?

Normally, there is no need to manually rotate log files. The Linux system will automatically rotate the log every other day (or longer) or according to the size of the log file. If you need to rotate the log to free up storage space or to separate a portion of the log from current activity, this is easy to do, depending on the file rotation rules.

A little background

After the Linux system is installed, many log files have been included in the log rotation range. In addition, some applications also set rotation rules for the log files they generate when they are installed. Generally speaking, the log rotation configuration file is placed in /etc/logrotate.d . If you want to know the detailed implementation of log rolling, you can refer to this previous article.

During log rolling, the active log is renamed with a new name, such as log.1, and the file previously named log.1 is renamed to log.2, and so on. In this set of files, the oldest log file (say named log.7) is deleted from the system. The file naming method and the number of log files to be retained when the log is rotated are determined by the configuration files in the /etc/logrotate.d directory. Therefore, you may see that some log files are only kept for a few rotations, while some log files are rotated 7 times or more.

For example, syslog might look like this after log rotation (note that the comments at the end of the line are just to show how the rotation process affects the file name):

$ ls -l /var/log/syslog*
-rw-r----- 1 syslog adm 128674 Mar 10 08:00 /var/log/syslog <== new file -rw-r----- 1 syslog adm 2405968 Mar 9 16:09 /var/log/syslog.1 <== previous syslog
-rw-r----- 1 syslog adm 206451 Mar 9 00:00 /var/log/syslog.2.gz <== previous syslog.1
-rw-r----- 1 syslog adm 216852 Mar 8 00:00 /var/log/syslog.3.gz <== previous syslog.2.gz
-rw-r----- 1 syslog adm 212889 Mar 7 00:00 /var/log/syslog.4.gz <== previous syslog.3.gz
-rw-r----- 1 syslog adm 219106 Mar 6 00:00 /var/log/syslog.5.gz <== previous syslog.4.gz
-rw-r----- 1 syslog adm 218596 Mar 5 00:00 /var/log/syslog.6.gz <== previous syslog.5.gz
-rw-r----- 1 syslog adm 211074 Mar 4 00:00 /var/log/syslog.7.gz <== previous syslog.6.gz

You may find that except for the currently active log and the most recently rolled log file, all other files have been compressed to save storage space. The reason for this design is that most system administrators only need to check the latest log file. The remaining log files are compressed and can be decompressed and checked when needed. This is a good compromise.

Manual log rotation

You can execute the logrotate command to manually rotate the logs:

$ sudo logrotate -f /etc/logrotate.d/rsyslog

It is worth mentioning that the logrotate command uses the configuration file /etc/logrotate.d/rsyslog and implements "forced rotation" through the -f parameter. Therefore, the whole process will be:

• Delete syslog.7.gz,
• Rename the original syslog.6.gz to syslog.7.gz,
• Rename the original syslog.5.gz to syslog.6.gz,
• Rename the original syslog.4.gz to syslog.5.gz,
• Rename the original syslog.3.gz to syslog.4.gz,
• Rename the original syslog.2.gz to syslog.3.gz,
• Rename the original syslog.1.gz to syslog.2.gz,
• However, new syslog files do not necessarily have to be created.
  

You can follow the following commands to ensure that the file ownership and permissions are correct:

$ sudo touch /var/log/syslog
$ sudo chown syslog:adm /var/log/syslog
$ sudo chmod 640 /var/log/syslog

You can also add the following line to /etc/logrotate.d/rsyslog and let logrotate do the above three commands for you:

create 0640 syslog adm

The content of the entire configuration file is as follows:

/var/log/syslog
{
rotate 7
daily
missingok
notifempty
create 0640 syslog adm <==
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

The following is an example of manually scrolling the wtmp log that records user login information. Because of the configuration of rotate 2 in /etc/logrotate.d/wtmp, only two copies of wtmp log files are retained in the system.

Before rolling:

$ ls -l wtmp*
-rw-r----- 1 root utmp 1152 Mar 12 11:49 wtmp
-rw-r----- 1 root utmp 768 Mar 11 17:04 wtmp.1

Execute the scroll command:

$ sudo logrotate -f /etc/logrotate.d/wtmp

After scrolling:

$ ls -l /var/log/wtmp*
-rw-r----- 1 root utmp 0 Mar 12 11:52 /var/log/wtmp
-rw-r----- 1 root utmp 1152 Mar 12 11:49 /var/log/wtmp.1
-rw-r----- 1 root adm 99726 Feb 21 07:46 /var/log/wtmp.report

It is important to know that no matter whether the log rolling is automatic or manual, the most recent rolling time will be recorded in the logrorate status file.

$ grep wtmp /var/lib/logrotate/status
"/var/log/wtmp" 2020-3-12-11:52:57

Summarize

This is the end of this article about manually rolling logs in Linux system. For more relevant Linux rolling log content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!