Sunday, 6 April 2014

Configure log rotation - Solaris 10

In order to have an easy administration of systems which generates large number of log files, you can configure your log files according by an utility called logroate, which allows automatic rotation, compression, removal and also mailing of log files which can be handled daily, weekly or when it grows too large.

Objective: compress and rotate logs after certain threshold on the file size.

Environment: Solaris 10 32-bit

The system log rotation is defined in the /etc/logadm.conf file. This file includes log rotation entries for processes such as syslogd. For example, one entry in the /etc/logadm.conf file specifies that the /var/log/ciscofirewall.log file is rotated weekly unless the file is empty. The most recent ciscofirewall.log file becomes ciscofirewall.log.0, the next most recent becomes ciscofirewall.log.1, and so on. Eight previous ciscofirewall log files are kept.
The /etc/logadm.conf file also contains time stamps of when the last log rotation occurred.
# vi /etc/logadm.conf 
/var/log/ciscofirewall.log -C 9 -s 10240k -z 4 -N -a 'kill -HUP `cat /var/run/`'

     -C = expire old logs until count remain.( 9 log files created and rotated )
     -N = not an error if log file nonexistent.
     -s = only rotate if given size or greater.
     -a = execute command after taking actions.
     -z = gzip old logs except most recent count ( last 5 log files would be compressed )

- Restart the syslogd to take changes effectively.

The command is often run on a cron job, which has the effect of fully automatic log rotation.

# crontab -l 
10 3 * * * /usr/sbin/logadm

# ls -l /var/log/ciscofirewall*.log.* | wc -l

# ls -l /var/log/ciscofirewall*.log.*.gz | wc -l

# ls -ltr /var/log/ciscofirewall.log*
-rw-r--r--   1 root     root       41048 Apr  6 14:38 /var/log/ciscofirewall.log.8.gz
-rw-r--r--   1 root     root       42076 Apr  6 14:39 /var/log/ciscofirewall.log.7.gz
-rw-r--r--   1 root     root       41621 Apr  6 14:40 /var/log/ciscofirewall.log.6.gz
-rw-r--r--   1 root     root       41524 Apr  6 14:41 /var/log/ciscofirewall.log.5.gz
-rw-r--r--   1 root     root       41410 Apr  6 14:42 /var/log/ciscofirewall.log.4.gz
-rw-r--r--   1 root     root     21510944 Apr  6 14:43 /var/log/ciscofirewall.log.3
-rw-r--r--   1 root     root     21139079 Apr  6 14:44 /var/log/ciscofirewall.log.2
-rw-r--r--   1 root     root     21536814 Apr  6 14:45 /var/log/ciscofirewall.log.1
-rw-r--r--   1 root     root     21399755 Apr  6 14:46 /var/log/ciscofirewall.log.0
-rw-r--r--   1 root     root     16434041 Apr  6 14:46 /var/log/ciscofirewall.log

all your logs has been rotated in a discipline manner, which would be easy to troubleshoot in-case of any errors.