logrotate 不压缩 /var/log/messages

Question

随着时间的推移，我注意到一些日志，/var/log例如auth,kern并且messages变得越来越大。我logrotate为他们做了条目：

$ cat /etc/logrotate.d/auth.log 
/var/log/kern.log {
    rotate 5
    daily
}
$ cat /etc/logrotate.d/kern.log 
/var/log/kern.log {
    rotate 5
    daily
}
$ cat /etc/logrotate.d/messages 
/var/log/messages {
    rotate 5
    daily
    postrotate
        /bin/killall -HUP syslogd
    endscript
}

我也compress启用了该选项：

$ grep compress /etc/logrotate.conf 
# uncomment this if you want your log files compressed
compress

这个伟大工程auth.log，kern.log和其他人，这意味着每个这些日志被gzip压缩和旋转，用日志的最近5天保留。/var/log/messages但是没有被压缩，导致日志超过 5 天：

$ ls /var/log/messages*
/var/log/messages           /var/log/messages-20100213
/var/log/messages-20100201  /var/log/messages-20100214
/var/log/messages-20100202  /var/log/messages-20100215
/var/log/messages-20100203  /var/log/messages-20100216
/var/log/messages-20100204  /var/log/messages-20100217
/var/log/messages-20100205  /var/log/messages-20100218
/var/log/messages-20100206  /var/log/messages-20100219
/var/log/messages-20100207  /var/log/messages-20100220
/var/log/messages-20100208  /var/log/messages-20100221
/var/log/messages-20100209  /var/log/messages-20100222
/var/log/messages-20100210  /var/log/messages-20100223
/var/log/messages-20100211  /var/log/messages-20100224
/var/log/messages-20100212

正如ServerFault 上的另一个logrotate问题所解释的那样，旧日志（很可能）不会被删除，因为每个文件的文件结尾都不同。这似乎是因为文件没有被压缩。

我可以做些什么来/var/log/messages压缩和旋转最后 5 天的日志，就像我的所有其他日志文件一样？我错过了什么？

编辑 1：前几个答案中要求的附加信息。

我正在运行 Gentoo Linux。我的/etc/logrotate.conf文件：

$ cat /etc/logrotate.conf 
# $Header: /var/cvsroot/gentoo-x86/app-admin/logrotate/files/logrotate.conf,v 1.3 2008/12/24 20:49:10 dang Exp $
#
# Logrotate default configuration file for Gentoo Linux
#
# See "man logrotate" for details
# rotate log files weekly
weekly
#daily
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
compress
# packages can drop log rotation information into this directory
include /etc/logrotate.d
notifempty
nomail
noolddir
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
}
/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

/etc/logrotate.d 包含我上面提到的自定义配置文件以及由这些包安装的 mysql、rsync 等配置。

我的根crontab是空的：

$ sudo crontab -l
no crontab for root

我检查了所有/etc/cron.{daily,hourly,monthly,weekly}与 syslog 相关的内容，并且有一个脚本可以旋转/var/log/syslog和/var/log/auth.log.

接下来，我做了一个/var/log/messages-onlylogrotate配置文件由CarpeNoctem的建议：

$ cat logrotate-messages 
weekly
rotate 4
create
dateext
compress
notifempty
nomail
noolddir
/var/log/messages {
    rotate 5
    daily
    postrotate
        /bin/killall -HUP syslogd
    endscript
}

然后我logrotate手动运行：

$ logrotate -d logrotate-messages -f
reading config file logrotate-messages
reading config info for /var/log/messages 

Handling 1 logs

rotating pattern: /var/log/messages  forced from command line (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/messages
  log needs rotating
rotating log /var/log/messages, log->rotateCount is 5
dateext suffix '-20100224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
glob finding old rotated logs failed
renaming /var/log/messages to /var/log/messages-20100224
creating new /var/log/messages mode = 0644 uid = 0 gid = 0
running postrotate script
running script with arg /var/log/messages : "
        /bin/killall -HUP syslogd
"
compressing log with: /bin/gzip
$ which gzip
/bin/gzip
$ file /bin/gzip
/bin/gzip: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped

根据上面logrotate的日志，用/bin/gzip压缩了日志，但是在/var/log. 此外，对旧的旋转文件进行通配失败。

编辑 2：logrotate在.gz向旧/var/log/message-*文件附加后缀后添加运行的调试输出。

我们从以下开始：

$ ls /var/log/messages*
/var/log/messages              /var/log/messages-20100222.gz
/var/log/messages-20100219.gz  /var/log/messages-20100223.gz
/var/log/messages-20100220.gz  /var/log/messages-20100224.gz
/var/log/messages-20100221.gz

然后logrotate使用我们的自定义配置文件运行：

$ logrotate -d logrotate-messages -f
reading config file logrotate-messages
reading config info for /var/log/messages 

Handling 1 logs

rotating pattern: /var/log/messages  forced from command line (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/messages
  log needs rotating
rotating log /var/log/messages, log->rotateCount is 5
dateext suffix '-20100224'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
removing /var/log/messages-20100219.gz
removing old log /var/log/messages-20100219.gz
destination /var/log/messages-20100224.gz already exists, skipping rotation

这一次，logrotate的 glob 成功并找到了第六个压缩日志文件，打算将其删除。该文件实际上并未被删除；我想那是因为我们在调试模式下运行。

我很好奇启用该delaycompress选项是否/var/log/messages会有所帮助。我启用了它，并会在第二天早上检查结果。

Answer 1

添加delaycompress到配置部分以/var/log/messages解决问题。

来自man logrotate：

   delaycompress
          Postpone  compression of the previous log file to the next rota?
          tion cycle.  This only has effect when used in combination  with
          compress.   It  can  be used when some program cannot be told to
          close its logfile and thus might continue writing to the  previ?
          ous log file for some time.

我猜sysklogd，我的 syslog 守护进程不能被告知关闭它的日志文件，因此这是必要的。

有趣的是，原来的配置我有（没有delaycompress指令），来到直出的man logrotate（除非我改变weekly到daily）：

   # sample logrotate configuration file
   compress

   /var/log/messages {
       rotate 5
       weekly
       postrotate
           /usr/bin/killall -HUP syslogd
       endscript
   }

Answer 2

仅凭这些信息很难说，但我可以告诉你是什么拯救了我几次。

Logrotate 有一个调试选项，它会打印输出到标准输出的每一步的播放。所以在这种情况下你可以这样做：

logrotate -d /etc/logrotate.conf

输出会告诉你到底发生了什么。此外，如果您想缩小调试输出的范围，您可以这样做

logrotate -d /etc/logrotate.d/messages

尽管您可能希望暂时将主要的 logrotate.conf 选项放置在该文件块中，因为直接指定该文件意味着它将永远不会读取主要的配置选项。指定单个文件还意味着您可以将-f(force) 选项与调试选项结合使用来查看消息文件发生的实际轮换。