Tuesday, September 11, 2007

Logrotate with Syslog-NG


I wanted to archive my logs that are created with Syslog-NG. But I also wanted to delete them after a while.

Syslog-NG does a great job of rotating the logs. There is even a script on the Syslog-NG FAQ that will compress the logs.  My script has now been copied up there. (wohoo)

But we have a pretty small Syslog server, and generating 10gigs of logs day fill it up pretty quick.

Here's the script I wrote...

It's pretty simple to follow:
Find all files in the log directory that are not dated today, and that are not .gz, and archive them using gzip. We chose to use Gzip because of the time it takes compared to b2zip. Yes, we can get more space from
B2zip, but we usually have to uncompress the file, and B2zip can take 20 minutes to do this.

Then, find all files that have not been modified in 14 days, and delete them.

Then, find all directories that are empty, and remove them.

There is a small logic problem with this script. If you change the modification time of the archive, say by unzipping it, and then rezipping it, it will take an addition 14 days to delete.

[root@server cron.daily]# more syslog-ng-logrotate

# Current policy is:
# Find all non-Archived files that aren't from today, and archive them
# Archive Logs are deleted after 14 days
#
#Changes. Change -mtime +14 to the number of days to keep
# Archive old logs
/usr/bin/find /var/log/HOSTS ! -name "*.gz" -type f ! -path "*`/bin/date +%Y/%m/%d`*" -exec /usr/bin/gzip {} \;

# Delete old archives
find /var/log/HOSTS/ -daystart -mtime +14 -type f -exec rm {} \;

# Delete empty directories
find /var/log/HOSTS/ -depth -type d -empty -exec rmdir {} \;