unable to log rotate centos 7.4.1708 (Core)

Issues related to applications and software problems
Post Reply
sunilka
Posts: 13
Joined: 2015/04/05 03:48:18

unable to log rotate centos 7.4.1708 (Core)

Post by sunilka » 2019/02/15 13:46:00

I am using centos 7.4.1708 (Core) and tried to configure syslog for log rotation, however there is no log rotation found in the host.
is there any bug anyone noticed on this version or did you come across anything as earlier on this version ?

There is no single file rotated from the logs in /var/log directory from the syslog files..
can you please help me, i am clueless over here ..

Code: Select all

[root@centos logrotate.d]# cat /etc/redhat-release
 Linux release 7.4.1708 (Core)
[root@centos logrotate.d]#

[root@centos logrotate.d]# cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    daily
    rotate 3
    missingok
    notifempty
    compress
    copytruncate
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
[root@centos logrotate.d]#

[root@centos logrotate.d]# rpm -qa | grep -i rsyslog
rsyslog-8.32.0-3.el7..x86_64
[root@centos logrotate.d]#

[root@centos ~]# grep -i logrotate /var/log/messages
[root@centos ~]# grep -i logrotate /var/log/audit/audit.log
[root@centos ~]#

[root@centos ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[root@centos ~]#

[root@centos ~]# ls -l /var/log/*.gz
ls: cannot access /var/log/*.gz: No such file or directory
[root@centos ~]#


User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: unable to log rotate centos 7.4.1708 (Core)

Post by TrevorH » 2019/02/15 14:04:23

I am using centos 7.4.1708 (Core)
There's your first mistake - that's 2 point releases and 18 months behind the current version. Run yum update to get up to date and fix numerous high severity security vulnerabilities.

That's also not our version of rsyslog - it should be rsyslog-8.24.0-34.el7.x86_64 not 8.32.

Our version of rsyslog and the logrotate file that it distributes works out of the box.

Your have duplicate postrotate scripts and I'm pretty sure that you cannot be running both rsyslog and whatever it is that uses syslogd.pid at the same time.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

sunilka
Posts: 13
Joined: 2015/04/05 03:48:18

Re: unable to log rotate centos 7.4.1708 (Core)

Post by sunilka » 2019/02/24 14:59:53

this is in production and at this point in time i wouldn't be able to upgrade the system.. but i have removed logrotate and rsyslog packages.
I still dont see log rotation working..

What might be the reason and any help on how to fix this issue..

Current installed version.

logrotate-3.8.6-17.el7.x86_64
rsyslog-8.24.0-34.el7.x86_64

Code: Select all

#cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    missingok
    sharedscripts
    postrotate
	/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
When I try to run the logrotation in debug mode, i have this below log ..

Code: Select all

# /usr/sbin/logrotate -d /etc/logrotate.d/syslog
reading config file /etc/logrotate.d/syslog
Allocating hash table for state file, size 15360 B

Handling 1 logs

rotating pattern: /var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
 1048576 bytes (no old logs will be kept)
empty log files are rotated, old logs are removed
considering log /var/log/cron
  log does not need rotating (log size is below the 'size' threshold)
considering log /var/log/maillog
  log does not need rotating (log size is below the 'size' threshold)
considering log /var/log/messages
  log needs rotating
considering log /var/log/secure
  log does not need rotating (log size is below the 'size' threshold)
considering log /var/log/spooler
  log does not need rotating (log size is below the 'size' threshold)
rotating log /var/log/messages, log->rotateCount is 0
dateext suffix '-20190224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/messages.1 to /var/log/messages.2 (rotatecount 1, logstart 1, i 1),
renaming /var/log/messages.0 to /var/log/messages.1 (rotatecount 1, logstart 1, i 0),
fscreate context set to system_u:object_r:var_log_t:s0
renaming /var/log/messages to /var/log/messages.1
disposeName will be /var/log/messages.1
running postrotate script
running script with arg /var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
: "
	/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
"
removing old log /var/log/messages.1
error: error opening /var/log/messages.1: No such file or directory
#

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: unable to log rotate centos 7.4.1708 (Core)

Post by TrevorH » 2019/02/24 15:44:23

man logrotate says
-d, --debug
Turns on debug mode and implies -v. In debug mode, no changes will be made to the logs or to the logrotate state
file.
So when run in debug mode, it does nothing, it only tells you what it would have done if you hadn't used -d.

So, your /etc/logrotate.d/syslog doesn't contain an interval so it's inheriting 'weekly' from /etc/logrotate.conf. That means it won't even try to rotate your log files until 1 calendar week after the last rotation happened.
this is in production and at this point in time i wouldn't be able to upgrade the system
I'm sure the people at Equifax and all the other recent high profile compromises that lost customer data all said the same thing. If this is production you should have a test system on which to try things out and you should be aiming to roll out critical and important patches within weeks not more than 18 months. You need to adjust your patching schedule so that you don't get this far behind in future.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply