转储Linux日志文件（Rotating Linux Log Files - Part 1: Syslog）

最新推荐文章于 2024-03-01 14:48:16 发布

sunkai_1998

最新推荐文章于 2024-03-01 14:48:16 发布

阅读量751

点赞数

分类专栏： Server 文章标签： Linux Log Logrotate syslog

Server 专栏收录该内容

5 篇文章 0 订阅

订阅专栏

http://www.ducea.com/2006/06/06/rotating-linux-log-files-part-1-syslog/

Syslog is the default logging application installed in most Linux distributions. It can be replaced withsyslog-ng for better functionality, but about this in a future article. As I explained in theintroduction, the log files that are managed by syslog are not rotated with logrotate, but by syslog itself. In the second part I will cover the log files that are handled by logrotate.

syslog是大多数Linux发行版的默认安装的日志程序。它可以用syslog-ng取代以获得更多功能，但会在将来的博文中介绍。就像我在Introduction中所说，被syslog管理的日志文件不会被logrotate转储，而是syslog自己来转储。在博文第二部分，我会讲logrotate所处理的日志文件。

What files are handled by syslog? We can find out what are those files simply by inspecting the syslog configuration file (/etc/syslog.conf) that defines each log file, and also what kind of information is saved to each particular file. Let’s see how the configuration file looks on a fresh Debiansystem (I have removed most of the comments and kept only the relevant log definitions):

什么文件被syslog处理？我们可以通过检查syslog的配置文件（/etc/syslog.conf）轻松找到这些文件。该配置文件定义了这些日志文件，和哪些信息会被保存在特定的文件中。让我们看看在一个刚刚安装的debian系统中这个配置文件是什么样（我去掉了大多数的注释，仅保留了日志相关的定义）。

#  /etc/syslog.conf     Configuration file for syslogd.
#
#                       For more information see syslog.conf(5)
#                       manpage.

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
uucp.*                          /var/log/uucp.log
...
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice
*.=debug;
auth,authpriv.none;
news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;
auth,authpriv.none;
cron,daemon.none;
mail,news.none          -/var/log/messages

Normally, I would change this and configure based on my preferences, but his is not the point now. As you can see there are various log files that will contain the information specified by the configured facility (authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security, syslog, user, uucp and local0 through local7).

通常，我会修改它，按照我的喜好来配置，但是现在不是重点。正如你看到的，这里有各种各样的日志文件，包含由配置设施知道的信息（authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security, syslog, user, uucp 和 local0 到local7）。

How are these files rotated? As I previously said this is handled bysyslog itself, and it is done using 2 cron scripts: daily and weekly.

这些文件怎么转储？就像我之前说的，这是由syslog来处理的，使用2个cron脚本：每日和每周。

daily rotation: (handled by /etc/cron.daily/sysklogd)

每日转储：（由/etc/cron.daily/sysklogd处理)

any files that contains the . facility in the syslog configuration are rotateddaily. The reason for this, is that they will log all the information regardless of the facility, and can become quite quickly very big.
在syslog配置文件中包含.facility的任何日志文件都是每日转储。原因是它们会记录所有信息不考虑facility。
if we will look inside the daily syslog cron we will see that it finds the logs it need to rotate by launching the filesyslogd-listfiles:
如果我们深入了解daily syslog cron，我们会发现它通过启动syslogd-listfiles来找到那些日志。

/usr/sbin/syslogd-listfiles /var/log/syslog <– the result on my default system
the actual rotation is handled by the savelog program as it can be seen in this line:
实际的转储由savelog程序处理，可以从下面这行看到：

savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null

So we can see here that by default my debian system will keep 7 archives of previous logs (7 days). If I would want to change this, then all I have to do is to replace the-c 7 parameter with what I need. When does this rotation occur? Since it is launched from /etc/cron.daily/ it is defined in the system wide crontab:

所以我们可以看到，默认情况下，我的debian系统会保留7个之前的日志文档（7天）。如果我想改变这点，所要做的就是用我想要的值替换-c 7参数。什么时候这个转储会发生？因为它从/etc/cron.daily/启动，它被定义在系统级的crontab中。

 
  # /etc/crontab: system-wide crontab
...
25 6    * * *   root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.daily
47 6    * * 7   root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.weekly 
 

so based on the default cron job, this will be done daily at 6:25AM.

所以基于默认的cron任务，这个会在每天早上6点25分执行。

weekly rotation: (handled by /etc/cron.weekly/sysklogd)

每周转储（由/etc/cron.weekly/sysklogd处理）

the rest of the syslog generated log files (different from . facility) will be rotatedweekly.
剩下的由syslog生成的日志文件（不同于.facility）会被每周转储。
if we will look inside the weekly syslog cron we will see it finds the logs it needs to rotate by running:
如果我们查看weekly syslog cron内部，我们会看到它通过运行下面的行来找到日志文件：

/usr/sbin/syslogd-listfiles —weekly /var/log/mail.warn /var/log/uucp.log /var/log/user.log /var/log/daemon.log /var/log/messages /var/log/debug /var/log/auth.log /var/log/mail.err /var/log/mail.log /var/log/kern.log /var/log/lpr.log /var/log/mail.info
as we can see all the logs defined in the syslog configuration file will appear, except thenews.*, that can be included by adding syslogd-listfiles —news, if needed.
正如我们看到的，所有定义在syslog配置文件中的日志都会出现，除了news.*，如果需要，这个可以通过添加syslogd-listfiles --news包含进来。
the rotation is again handled by the savelog program:
转储任然是由savelog程序处理：

savelog -g adm -m 640 -u root -c 4 $LOG >/dev/null

So by default it will keep 4 archives of old logs (without counting the current log); the archives will have the extension:.0-.3 (with the first archive not compressed by default). If I would want to change this, I would need to modify accordingly the-c 4 parameter based on my needs. As seen above in the system crontab, this rotation will take place at6:47AM each Sunday (the weekly cronjob).

所以默认会保留4个旧的日志档案（当前的日志文件不计算在内）；这些档案有这样的扩展名：.0 - .3 （默认第一个档案不会被压缩）。如果我想修改它，我需要根据我的需要相应的修改参数 -c 4。就像上面系统的crontab中看到的，这个转储会发生在每个星期天早上6点47分（每周cron任务）。

For example, the rotated log files for the messages log file, will look like this:

举例，messages日志文件的转储文件看起来如下：

/var/log/messages
/var/log/messages.0
/var/log/messages.1.gz
/var/log/messages.2.gz
/var/log/messages.3.gz

Note: On RedHat based systems (RHEL, Centos, Fedora, etc.) the functionality covered abovedoesn’t exist by default (even though I don’t see why it could not be implemented if someone wants it). On these operating systems, this is handled also bylogrotate as shown in the next part. This covers the basics on howsystem logs are rotated. In part 2 we will be looking at how application logs are rotated.

注解：在基于RedHat的系统中（RHEL，Centos，Fedora等）上面的功能默认不存在（虽然我没有明白为啥它没有被实施，如果有人想要它）。在这些操作系统中，这部分也是由下一节所讲的logrotate处理的。这里覆盖了系统日志转储的基础。在part 2中，我们会关注应用程序日志的转储。