Log Rotation (Demo)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey, Cybrarians, welcome back to
00:00
the Linux plus course here at Cybrary.
00:00
I'm your instructor Rob Gels,
00:00
and in today's lesson, we're going
00:00
to cover log rotation.
00:00
Upon completion of today's lesson,
00:00
you're going to understand
00:00
>> why log rotation is necessary.
00:00
>> We're going to talk about how logrotate operates,
00:00
and then we're going to find the default logrotate and
00:00
custom logrotate files during
00:00
a demo at the end of this lesson.
00:00
As mentioned in the last lesson,
00:00
logging happens continuously on a Linux system.
00:00
On a busy system,
00:00
this can generate enormous log files
00:00
and these can fill up the disk.
00:00
As we talked about previously,
00:00
if you haven't separated
00:00
your logs into a different partition,
00:00
it can crash the system.
00:00
You don't want your logs on
00:00
the same partition as the root
00:00
because that's just a bad idea.
00:00
To deal with this issue though,
00:00
Linux systems can use something
00:00
called the logrotate utility.
00:00
Logrotate is run daily by default and it will be used
00:00
to split log files based on time or size of the file,
00:00
those are configurable options.
00:00
It also will archive
00:00
files and it can optionally compress them.
00:00
Now by default, the configuration from
00:00
logrotate is found in /etc/logrotate.conf,
00:00
but additional or custom settings are
00:00
also found in /etc/logrotate.d.
00:00
Application installers often place
00:00
configuration files here,
00:00
so maybe if you install Samba or something,
00:00
you're going to find something in that directory
00:00
for Samba that specifies how
00:00
those logs should be rotated
00:00
based on what the application fields
00:00
is correct for those logs.
00:00
There are a lot of configuration options
00:00
>> that you can set logrotate but here are
00:00
>> some common ones you're likely to see.
00:00
For example, weekly,
00:00
weekly will rotate the log files once a week,
00:00
and then we can also specify the number of times to
00:00
rotate a log before deleting it with
00:00
rotate 4, for example.
00:00
This is a common option and that means that it
00:00
keeps all the logs for one month.
00:00
Rotate it four times and then it'll delete the logs.
00:00
We can also specify to create a new log after
00:00
deleting old ones with the create option.
00:00
There is the dateext option,
00:00
which uses the date as the suffix for the rotated file,
00:00
it indicates when it was rotated
00:00
by the date that that was done on the system.
00:00
We can use compress,
00:00
which will compress rotated
00:00
log files and ensure that they
00:00
don't take up a ton of
00:00
disk space on the system, very good idea.
00:00
Then finally we have missingok,
00:00
and that's just going to suppress
00:00
an error message if a log is missing.
00:00
Because we don't want logging,
00:00
>> complaining about logging,
00:00
>> logging be missing logging,
00:00
logging, logging just dump.
00:00
[LAUGHTER] For more information,
00:00
see linuxconfig.org and look at
00:00
the logrotate-8-manual-page.
00:00
But let's take a look at this
00:00
>> roll some logs in some demo time.
00:00
>> Here we are back in our CentOS environment.
00:00
We're going to be on CentOS 8 today.
00:00
Let's take a look at this main configuration file,
00:00
we're going to do a cat on /etc/logrotate.conf.
00:00
In this file, we can see that it performs
00:00
a weekly rotation and it only keeps four old files.
00:00
We can also see that it uses
00:00
the date extension when it rotates things.
00:00
We can also see that it does
00:00
the include here to could include the
00:00
/etc/logrotate.d and we can see that
00:00
>> it does compress and a few other things here.
00:00
>> Let's take a look at the /etc/logrotate.d directory.
00:00
Let's do less on /etc/logrotate.d and inside of here,
00:00
we can see that there are
00:00
specific log files for
00:00
various applications things like
00:00
>> chrony, cups, dnf, firewall.
00:00
>> Then over there for a little bit further,
00:00
we see Samba, which I had mentioned earlier.
00:00
Let's take a look at that one.
00:00
We can go into less /etc/rotate.d
00:00
>> and we're going to search Samba.
00:00
>> Sorry, I may have misspelled something there.
00:00
Let's see, /etc/logrotate.d, they're missing log.
00:00
[NOISE] There we go,
00:00
we can see the contents of this message.
00:00
At the top, we can see
00:00
the actual log location and name so it's going to
00:00
put all the logs in /var/log/samba/log.*.
00:00
Then in between the curly braces,
00:00
we can see all the options so
00:00
you can see here it compresses,
00:00
it uses the date extension to
00:00
add a suffix to things that are oppressed.
00:00
We also see a new setting we didn't see
00:00
before which is max-age,
00:00
which means that the file can only go
00:00
365 days or one year before it's forced to
00:00
be rotated and we'll store
00:00
99 rotated files before we start deleting them.
00:00
We also have an old directory move things into,
00:00
we don't care if the files are missing,
00:00
and then we have copy truncate.
00:00
I didn't cover that,
00:00
but definitely if you're interested in that,
00:00
look in that in the main
00:00
page and learn a little bit more.
00:00
With that, in this lesson,
00:00
we covered why log rotation is necessary.
00:00
We talked about how logrotate operates,
00:00
and then we talked about where to find
00:00
the default logrotate configuration,
00:00
/etc/logrotate.conf and then the custom or
00:00
application-specific logrotate configuration files,
00:00
while those are found in /etc/logrotate.d.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next