Prevent your log files from getting out of control in Debian Squeeze

Mar 13th, 2012 | By | Category: Linux / Freebsd

Well as you read last week my system threw in the towel on me after my hard drive was completely filled up by my syslog, kern.log and messages log files.  A little bit stupid as they were almost all duplicates of each other.  But I checked on them today, 3 days later or so and lo and behold they are all back up to 1.9GB in a few days.

Now I know what you are saying, clearly this should be a sign to check what is filling up the log files, or to turn down the verobosity of my logging however it looks like a lot of this is Opera related and a lot of other normal shit being logged which I don’t really care to dive into and troubleshoot so I’m going to go with the next best option and just ensure that the logs are properly cleared out before they overload my hard drive.

Introduce logrotate.

Debian comes with this installed by default so there shouldn’t be any setting up involved.  What you need to do is to edit /etc/logrotate.conf and check out how often and when your logs are being cleared out.  It looks like the default is 4 weeks worth of logs which is rather insane for a home machine so we’re going to change that.  Considering how my logs go up to 1.9GB a pop in 3 days I don’t want to have logrotate clear the logs out based on time I want them to be cleared out based on size.  What I chose to do in the end was to have my size limit set to 250 MB with 2 rotations.  So what happens is that log becomes log.1 after 250MB and once log fills up to 250MB again log.1 is delete, log is renamed to log.1 and a new log is started.  So for any particular log the max size I’ll have over the 2 files is 500MB.  That I can live with although even that is a little too big for comfort but whatever I dont’ want my cpu clearing logs out every couple of hours and bogging my system down.  I’ve left compression off because again I want to spare my cpu as much as possible in this process.

 

So in the end the top portion of my /etc/logrotate.conf file looks like this:

size 250M
rotate 2
create
#compress
include /etc/logrotate.d

 

Now this is all fine and dandy for some of the log files in /var/log however it won’t affect the big trouble makers like syslog, messages, and kern.log.  That’s because logrotate doesn’t handle these, rsyslog does and to affect change in that you need to go into /etc/logrotate.d/ and edit the rsyslog file.

Inside of that you’ll see the entries for syslog and then /var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages

will all be clumped into one rule.  You need to apply what we’ve just learned to those rules.. My syslog ruleset does away with much of the default stuff they throw in there although I just commented it out incase it was needed for some reason and I could easily put it back into place..So my entry for syslog looks like this:

/var/log/syslog
{
size 250M
rotate 2
# missingok
# notifempty
# delaycompress
# compress
# postrotate
# invoke-rc.d rsyslog reload > /dev/null
# endscript
create
}

 

Hope that helps

 

Tags: , , , , , , , , ,

2 Comments to “Prevent your log files from getting out of control in Debian Squeeze”

  1. Nacho Martin says:

    Very useful, thanks.

    my /var/log folder was holding 11GB of logfiles after 3 days!

  2. KuN says:

    Thanks for the tips. My syslog reached 1.2g and used the last bit of my sys disk.

Leave a Comment