My Tasks/Projects
Projects I Involved
New Task
My Jottings & Pics
Events I Attend
My Opportunities
Tom Zheng |
Jul 14, 2008 10:18:52 PM
|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
Log Rotation in Solaris Using Logadm
| News | Articles | Recommended Links | Reference | |
| Perl Log Rotation tools | Log monitoring | HTTP Log tools | Humor | Etc |
Starting from Solaris 9, there is a standard tool, called logadm, to rotate logs. Logadm is an independent Utility, unlike integrated in syslog daemon capability that can be found in AIX. The logadm command is a preconfigured entry in the default crontab file supplied with Solaris 9 and Solaris 10. The /usr/lib/newsyslog script is no longer used.
|
|
Note: Before Solaris 9 there was FreeBSD-style tool newsyslog located at /usr/lib/ and Perl script rotatelog written by Shaun Rowland. It meant to be run from cron, with a configuration file and documentation available. For Solaris 8 and earlier you can download the tar.gz file and untar it. Then go in the new directory, and execute make install. It will install everything by default under /usr/local/ (mainly /usr/local/sbin/rotatelog and /usr/local/etc/rotatelog.conf).
logadm uses a configuration file
logadm.conf. The latter specifies the schedule for log rotation and
options with which rotation will be performed. In the default configuration of
logadm.conf the
/var/adm/messages file is already configured to be
rotated:
The syntax of the
logadm.conf file is as follows:
logname <space> options
A very simple configuration to rotate these files. Insert the following line:
/var/adm/sshdlog -C 7 -P 'Sat Jan 21 08:10:00 2006' -a 'pkill sshd2'
As you can see from the line above, we specified /var/adm/sshdlog
as our log to rotate.
The options (see Reference for the full list).:
-C-- count Delete the oldest versions until there are not more than count files left. This option specifies the maximum number of log files to keep. If exceeded, the oldest file will be deleted to keep the total number at specified value-P-- period Rotate a log file after the specified time period (period) .This option is used to specify a timestamp for the particular log last rotation. Specify period as a number followed by d for days, w for weeks, m for months (really 30 days) or y for years. There are also two special values for period: now and never. -p now forces log rotation. -p never forces no log rotation.-a-- This option is used to specify a post command that is run once after all logs have been rotated. The command can send HUP signal to a daemon or restart it. It also can be used to compress the rotated log with non standard compressor (-z option can be used for standard compressor) and or send message to sysadmin- -s size Rotate the log file only if its size is greater than or equal to size. Specify size as a number followed by the letter b for bytes, k for kilobytes, m for megabytes, or g for gigabytes.
Like with cron, the -w option to logadm(1M) is the preferred way to modify the configuration file, but if you do edit it by hand. In this case use "logadm -V" to check it for errors and to activate changes.
For example, one entry in the /etc/logadm.conf file specifies that the /var/log/syslog file is rotated weekly unless the file is empty. The most recent syslog file becomes syslog.0, the next most recent becomes syslog.1, and so on. Eight previous syslog log files are kept. The /etc/logadm.conf file also contains time stamps of when the last log rotation occurred. It is written in the field defined by -P flag.
You can use the logadm command to customize system logging and to add additional logging in the /etc/logadm.conf file as needed.
For example, to rotate the Apache access and error logs, use the following commands:
# logadm -w /var/apache/logs/access_log -s 100m
# logadm -w /var/apache/logs/error_log -s 10m
In this example, the Apache access_log file is rotated when it reaches 100 Mbytes in size, with a .0, .1, (and so on) suffix, keeping 10 copies of the old access_log file. The error_log is rotated when it reaches 10 Mbytes in size with the same suffixes and number of copies as the access_log file.
The /etc/logadm.conf entries for the preceding Apache log rotation examples look similar to the following:
# cat /etc/logadm.conf
...
/var/apache/logs/error_log -s 10m
/var/apache/logs/access_log -s 100m
For more information, see logadm(1M).
You can use the logadm command as superuser or by assuming an equivalent role (with Log Management rights). With role-based access control (RBAC), you can grant non-root users the privilege of maintaining log files by providing access to the logadm command. For example, add the following entry to the /etc/user_attr file to grant user andy the ability to use the logadm command:
andy::::profiles=Log Management
Or, you can set up a role for log management by using the Solaris Management Console. For more information about setting up a role, see "Role-Based Access Control (Overview)" in System Administration Guide: Security Services.
The log rotation problem exists on any server but it is the most acute on log
consolidation servers (LOGHOST servers) that collect logs from other servers.
The volume of logs on a busy Solaris loghost system grow over 50G in a week. On
a typical loghost just log for /var/adm/messages
can easily be large then 1G in one day.
Among log files which should be rotated on a typical Solaris box: :
/var/adm/syslog-- Logs common system events/var/adm/messages-- Miscellaneous log file for most events on a system/var/cron/log-- Logs all jobs run in crontab/var/lp/logs/lpsched-- Logs information related to the print services/var/adm/pacct-- Used for process accounting
|
|
Comment:
(no reply)