116
Chapter 11
You should see something like Listing 113.
# see "man logrotate" for details
#
rotate log files weekly
u
weekly
# keep 4 weeks worth of backlogs
v
rotate 4
w
# create new (empty) log files after rotating old ones
create
x
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may also be configured here
--
snip--
Listing 11-3: The logrotate
configuration file
First, you can set the unit of time your rotate numbers refer to u. The
default here is
weekly
, meaning
any number after the
rotate
keyword always
refers to weeks.
Further down, you can see the setting for how often to rotate logs—the
default setting is to rotate logs every four weeks v. This default configura
tion will work for most people, but if you want to keep your logs longer for
investigative purposes or shorter to clear them out quicker, this is the set
ting you should change.
For instance, if you check
your log files every week
and want to save storage space, you could change this setting to
rotate 1
. If
you have plenty of storage for your logs and want to keep a semipermanent
record for forensic analysis later, you could change this setting to
rotate 26
to keep your logs for six months or
rotate 52
to keep them for one year.
By default, a new empty log file is created when old ones are rotated
out w. As the comments in
the configuration file advise, you can also
choose to compress your rotated log files x.
At the end of each rotation period, the log files are renamed and pushed
toward the end of the chain of logs as a new log file is created, replacing the
current log file. For instance,
/var/log.auth will become
/var/log.auth.1, then
/
var/log.auth.2, and so on. If you rotate logs every four weeks and keep four
set of backups, you will have
/var/log.auth.4, but no
/var/log.auth.5, meaning
that
/var/log.auth.4 will be deleted rather than being pushed to
/var/log/
auth.5. You can see this by using the
locate
command to find
/var/log/
auth.log log
files with a wildcard, as shown here:
kali >
ls /var/log/auth.log*
/var/log/auth.log.1
The Logging System
117
/var/log/auth.log.2
/var/log/auth.log.3
/var/log/auth.log.4
For more details on the many ways to customize and use the
logrotate
utility, see the
man logrotate
page. This is an excellent resource to learn
about the functions you can use and the variables you can change to cus
tomize how your logs are handled. Once you become more familiar with
Linux, you’ll get a better sense of how often
you need to log and what
options you prefer, so it’s worth revisiting the
logrotate.conf file.