Software & AppsOperating SystemLinux

Why is /var/log/syslog not rotating?

Ubuntu 10

In the world of system administration, log files are crucial for diagnosing and resolving system issues. One such important log file is /var/log/syslog. However, you may encounter a situation where this log file is not rotating as expected. This article will guide you through the reasons behind this issue and how to troubleshoot it.

Quick Answer

The /var/log/syslog log file may not be rotating due to incorrect logrotate configuration, incorrect permissions on the log directory, or system protections interfering with log rotation. To troubleshoot this issue, check the logrotate configuration, run logrotate manually in debug mode, verify permissions on the log directory, and set the appropriate "su" directive in the logrotate configuration. Restart the logrotate service after making any changes.

Understanding Log Rotation

Before we delve into the issue, let’s understand what log rotation is. Log rotation is a process that renames, compresses, and removes log files after a certain period or when they reach a certain size. This helps in managing disk space and makes log analysis more manageable.

In Linux, the logrotate utility handles log rotation. It is usually run daily by the cron daemon. The configuration file for logrotate is /etc/logrotate.conf, and individual application configurations are stored in /etc/logrotate.d/.

Checking the logrotate Configuration

The first step in troubleshooting is to check the logrotate configuration for syslog. This is usually located at /etc/logrotate.d/rsyslog. The configuration should look something like this:

/var/log/syslog
{
 rotate 7
 daily
 missingok
 notifempty
 delaycompress
 compress
 postrotate
 invoke-rc.d rsyslog rotate > /dev/null
 endscript
}

Here’s what each directive means:

  • rotate 7: Keep 7 old log files.
  • daily: Rotate the log files every day.
  • missingok: Do not output an error message if the log file is missing.
  • notifempty: Do not rotate the log if it’s empty.
  • delaycompress: Delay compression of the previous log file to the next rotation cycle. This is useful if a program cannot be told to close its logfile.
  • compress: Compress the old log files to save space.
  • postrotate/endscript: Commands to execute after the log file is rotated. In this case, it’s telling rsyslog to reload its configuration.

Running logrotate Manually

If the configuration seems correct, you can try running logrotate manually in debug mode with the command sudo logrotate -d /etc/logrotate.conf. This command will simulate log rotation without actually rotating the logs. It will also provide detailed information about what logrotate is doing and any errors it encounters.

Checking Permissions on Log Directories

If running logrotate manually doesn’t solve the issue, you should check the permissions of the /var/log/ directory. The directory should have permissions set to 775 and should not be world-writable or writable by a group other than “root”. You can check the permissions with the command ls -ld /var/log/.

Setting the “su” Directive in logrotate Configuration

If the permissions on /var/log/ are correct, but logrotate is still not rotating the logs, you can add the following line to the rsyslog configuration in /etc/logrotate.d/rsyslog:

su root syslog

This directive tells logrotate to use the user “root” and the group “syslog” for the rotation process.

Testing logrotate Again

After making the necessary changes, you should test logrotate again with sudo logrotate -d /etc/logrotate.conf. If the log file is now rotating as expected, you’ve solved the issue. If not, there might be other system protections or configurations interfering with log rotation.

Remember to restart the logrotate service with sudo systemctl restart logrotate after making any changes to the logrotate configuration files.

In conclusion, /var/log/syslog not rotating can be due to various reasons like incorrect logrotate configuration, incorrect permissions, or system protections. By following the steps outlined in this article, you should be able to diagnose and fix the issue.

What is the purpose of log rotation?

Log rotation is a process that renames, compresses, and removes log files after a certain period or when they reach a certain size. This helps in managing disk space and makes log analysis more manageable.

Where is the logrotate configuration file located?

The logrotate configuration file is usually located at /etc/logrotate.conf. Individual application configurations are stored in /etc/logrotate.d/.

How can I check the logrotate configuration for syslog?

To check the logrotate configuration for syslog, you can open the /etc/logrotate.d/rsyslog file. This file should contain the directives and settings for rotating the /var/log/syslog file.

How can I manually run logrotate in debug mode?

You can run logrotate manually in debug mode with the command sudo logrotate -d /etc/logrotate.conf. This command will simulate log rotation without actually rotating the logs and provide detailed information about what logrotate is doing and any errors encountered.

What permissions should the `/var/log/` directory have?

The /var/log/ directory should have permissions set to 775 and should not be world-writable or writable by a group other than "root". You can check the permissions with the command ls -ld /var/log/.

What is the purpose of the “su” directive in logrotate configuration?

The "su" directive in logrotate configuration specifies the user and group that logrotate should use for the rotation process. For example, su root syslog tells logrotate to use the user "root" and the group "syslog" for rotation.

How can I restart the logrotate service?

You can restart the logrotate service with the command sudo systemctl restart logrotate after making any changes to the logrotate configuration files. Restarting the service ensures that the changes take effect.

Leave a Comment

Your email address will not be published. Required fields are marked *