(Linux) /var/log organisation using logrotate and rsyslog without breaking important systemslogrotate does not compress /var/log/messagesHow can I log iptables in Ubuntu just in /var/log/firewall with rsyslogdLogrotate Successful, original file goes back to original sizeRSyslog does not work with a log file located outside of /var/logRemote rsyslog only writing logging data to /var/log/syslog and not custom logfilesrsyslogd template stopped workingHow can I make rsyslog send the logfiles to a location outside of /var/log?Huge /var/log directory inode in ext3 after creating and removing many filesLogrotate Not Deleting Compressed LogsHow to open multiple log files with less and logrotate?
When to remove insignificant variables?
Why does independence imply zero correlation?
What can I do with a research project that is my university’s intellectual property?
Why are < or > required to use /dev/tcp
How can you guarantee that you won't change/quit job after just couple of months?
CircuiTikZ: Start ground relative to the closest component
What's currently blocking the construction of the wall between Mexico and the US?
Concurrent normals conjecture
Is "Busen" just the area between the breasts?
Can humans ever directly see a few photons at a time? Can a human see a single photon?
What are Elsa's reasons for selecting the Holy Grail on behalf of Donovan?
Heavily limited premature compiler translates text into excecutable python code
Shooting someone's past self using special relativity
Helping ease my back pain by studying 13 hours everyday , even weekends
How many people are necessary to maintain modern civilisation?
Designing a magic-compatible polearm
Do I have any obligations to my PhD supervisor's requests after I have graduated?
Did the CIA blow up a Siberian pipeline in 1982?
Why does the Saturn V have standalone inter-stage rings?
Cut the gold chain
I don't like coffee, neither beer. How to politely work my way around that in a business situation?
What is "industrial ethernet"?
How to make clear to people I don't want to answer their "Where are you from?" question?
career in signal processing
(Linux) /var/log organisation using logrotate and rsyslog without breaking important systems
logrotate does not compress /var/log/messagesHow can I log iptables in Ubuntu just in /var/log/firewall with rsyslogdLogrotate Successful, original file goes back to original sizeRSyslog does not work with a log file located outside of /var/logRemote rsyslog only writing logging data to /var/log/syslog and not custom logfilesrsyslogd template stopped workingHow can I make rsyslog send the logfiles to a location outside of /var/log?Huge /var/log directory inode in ext3 after creating and removing many filesLogrotate Not Deleting Compressed LogsHow to open multiple log files with less and logrotate?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
This is likely to elicit calls to close as it's asking for opinions, but I don't know how or where to ask in a more appropriate manner. Apologies in advance if this offends - it's not intended that way, and there is an actual question, which is "what am I going to break if I do this, and is it worth it?"
I hate the way that the /var/log directory gets untidy; there are log files, old log files, and directories also containing both of these. I'm considering using logrotate and rsyslogd to ensure that the directory looks something like this:
chrony
mail
cron
messages
all of which are directories. Each directory would contain a file and a directory:
chrony.log
history
Where logrotate is used to move old logs into the history directory, and the current log is the only file in each directory. I think that this would make it easier to read the directory, to find the relevant log file, and is just, well neater.
I suspect that certain logs are not easily moved - is "lastlog" expected to be in /var/log? Am I going to break anything horribly if I do this?
(I tend to the idea that in general a directory should either be a leaf node or a branch, so I don't like having /etc/httpd.conf and /etc/httpd.conf.d - why not just /etc/httpd.conf.d containing base_config and other files).
Is this all made moot by splunk, I wonder - or by other offline log storage/forwarding?
logging log-files rsyslog var
asked Jun 4 at 17:06
Graham NichollsGraham Nicholls
66310
add a comment |
This is likely to elicit calls to close as it's asking for opinions, but I don't know how or where to ask in a more appropriate manner. Apologies in advance if this offends - it's not intended that way, and there is an actual question, which is "what am I going to break if I do this, and is it worth it?"
I hate the way that the /var/log directory gets untidy; there are log files, old log files, and directories also containing both of these. I'm considering using logrotate and rsyslogd to ensure that the directory looks something like this:
chrony
mail
cron
messages
all of which are directories. Each directory would contain a file and a directory:
chrony.log
history
Where logrotate is used to move old logs into the history directory, and the current log is the only file in each directory. I think that this would make it easier to read the directory, to find the relevant log file, and is just, well neater.
I suspect that certain logs are not easily moved - is "lastlog" expected to be in /var/log? Am I going to break anything horribly if I do this?
(I tend to the idea that in general a directory should either be a leaf node or a branch, so I don't like having /etc/httpd.conf and /etc/httpd.conf.d - why not just /etc/httpd.conf.d containing base_config and other files).
Is this all made moot by splunk, I wonder - or by other offline log storage/forwarding?
logging log-files rsyslog var
asked Jun 4 at 17:06
Graham NichollsGraham Nicholls
66310
Feel free to do what suits you but be aware that pretty much everyone else works with what they have. What they have, is pretty much the same as everyone else. There is a whole internet full of people who write interesting and useful stuff based on what everyone has. Being different in this case probably isn't a good thing.
– Iain
Jun 5 at 13:08
Everyone isn't the same. Some logs are written to /var/log directly, some to /var/log/<daemon_name>. Some distros use the daemon name, some store them in the base directory. If all logs were written via syslog - as they ought to be - there would be no problem. Given that logs are written either by a logger like rsyslog, or directly, with a config file (ugh!), or (even ughgier!) to a hard-coded file, I realise that some config would be necessary, but don't see what would break, nor why being organised is a bad thing.
– Graham Nicholls
Jun 5 at 13:37
They are the same - /var/log/<daemon_name> is the same for everyone using <daemon_name>. yada yada yada ...
– Iain
Jun 5 at 13:46
No, it's not. It's distribution and site - dependent. It's arbitrary, and there's no standard, which is, I suppose, what I'm suggesting.
– Graham Nicholls
Jun 6 at 7:21
add a comment |
This is likely to elicit calls to close as it's asking for opinions, but I don't know how or where to ask in a more appropriate manner. Apologies in advance if this offends - it's not intended that way, and there is an actual question, which is "what am I going to break if I do this, and is it worth it?"
I hate the way that the /var/log directory gets untidy; there are log files, old log files, and directories also containing both of these. I'm considering using logrotate and rsyslogd to ensure that the directory looks something like this:
chrony
mail
cron
messages
all of which are directories. Each directory would contain a file and a directory:
chrony.log
history
Where logrotate is used to move old logs into the history directory, and the current log is the only file in each directory. I think that this would make it easier to read the directory, to find the relevant log file, and is just, well neater.
I suspect that certain logs are not easily moved - is "lastlog" expected to be in /var/log? Am I going to break anything horribly if I do this?
(I tend to the idea that in general a directory should either be a leaf node or a branch, so I don't like having /etc/httpd.conf and /etc/httpd.conf.d - why not just /etc/httpd.conf.d containing base_config and other files).
Is this all made moot by splunk, I wonder - or by other offline log storage/forwarding?
logging log-files rsyslog var
asked Jun 4 at 17:06
Graham NichollsGraham Nicholls
66310
This is likely to elicit calls to close as it's asking for opinions, but I don't know how or where to ask in a more appropriate manner. Apologies in advance if this offends - it's not intended that way, and there is an actual question, which is "what am I going to break if I do this, and is it worth it?"
I hate the way that the /var/log directory gets untidy; there are log files, old log files, and directories also containing both of these. I'm considering using logrotate and rsyslogd to ensure that the directory looks something like this:
chrony
mail
cron
messages
all of which are directories. Each directory would contain a file and a directory:
chrony.log
history
Where logrotate is used to move old logs into the history directory, and the current log is the only file in each directory. I think that this would make it easier to read the directory, to find the relevant log file, and is just, well neater.
I suspect that certain logs are not easily moved - is "lastlog" expected to be in /var/log? Am I going to break anything horribly if I do this?
(I tend to the idea that in general a directory should either be a leaf node or a branch, so I don't like having /etc/httpd.conf and /etc/httpd.conf.d - why not just /etc/httpd.conf.d containing base_config and other files).
Is this all made moot by splunk, I wonder - or by other offline log storage/forwarding?
logging log-files rsyslog var
logging log-files rsyslog var
asked Jun 4 at 17:06
Graham NichollsGraham Nicholls
66310
asked Jun 4 at 17:06
Graham NichollsGraham Nicholls
66310
edited Jun 4 at 17:13
Graham Nicholls
asked Jun 4 at 17:06
Graham NichollsGraham Nicholls
66310
asked Jun 4 at 17:06
Graham NichollsGraham Nicholls
66310
asked Jun 4 at 17:06
Graham NichollsGraham Nicholls
66310
66310
Feel free to do what suits you but be aware that pretty much everyone else works with what they have. What they have, is pretty much the same as everyone else. There is a whole internet full of people who write interesting and useful stuff based on what everyone has. Being different in this case probably isn't a good thing.
– Iain
Jun 5 at 13:08
Everyone isn't the same. Some logs are written to /var/log directly, some to /var/log/<daemon_name>. Some distros use the daemon name, some store them in the base directory. If all logs were written via syslog - as they ought to be - there would be no problem. Given that logs are written either by a logger like rsyslog, or directly, with a config file (ugh!), or (even ughgier!) to a hard-coded file, I realise that some config would be necessary, but don't see what would break, nor why being organised is a bad thing.
– Graham Nicholls
Jun 5 at 13:37
They are the same - /var/log/<daemon_name> is the same for everyone using <daemon_name>. yada yada yada ...
– Iain
Jun 5 at 13:46
No, it's not. It's distribution and site - dependent. It's arbitrary, and there's no standard, which is, I suppose, what I'm suggesting.
– Graham Nicholls
Jun 6 at 7:21
add a comment |
Feel free to do what suits you but be aware that pretty much everyone else works with what they have. What they have, is pretty much the same as everyone else. There is a whole internet full of people who write interesting and useful stuff based on what everyone has. Being different in this case probably isn't a good thing.
– Iain
Jun 5 at 13:08
Everyone isn't the same. Some logs are written to /var/log directly, some to /var/log/<daemon_name>. Some distros use the daemon name, some store them in the base directory. If all logs were written via syslog - as they ought to be - there would be no problem. Given that logs are written either by a logger like rsyslog, or directly, with a config file (ugh!), or (even ughgier!) to a hard-coded file, I realise that some config would be necessary, but don't see what would break, nor why being organised is a bad thing.
– Graham Nicholls
Jun 5 at 13:37
They are the same - /var/log/<daemon_name> is the same for everyone using <daemon_name>. yada yada yada ...
– Iain
Jun 5 at 13:46
No, it's not. It's distribution and site - dependent. It's arbitrary, and there's no standard, which is, I suppose, what I'm suggesting.
– Graham Nicholls
Jun 6 at 7:21
Feel free to do what suits you but be aware that pretty much everyone else works with what they have. What they have, is pretty much the same as everyone else. There is a whole internet full of people who write interesting and useful stuff based on what everyone has. Being different in this case probably isn't a good thing.
– Iain
Jun 5 at 13:08
Feel free to do what suits you but be aware that pretty much everyone else works with what they have. What they have, is pretty much the same as everyone else. There is a whole internet full of people who write interesting and useful stuff based on what everyone has. Being different in this case probably isn't a good thing.
– Iain
Jun 5 at 13:08
Everyone isn't the same. Some logs are written to /var/log directly, some to /var/log/<daemon_name>. Some distros use the daemon name, some store them in the base directory. If all logs were written via syslog - as they ought to be - there would be no problem. Given that logs are written either by a logger like rsyslog, or directly, with a config file (ugh!), or (even ughgier!) to a hard-coded file, I realise that some config would be necessary, but don't see what would break, nor why being organised is a bad thing.
– Graham Nicholls
Jun 5 at 13:37
Everyone isn't the same. Some logs are written to /var/log directly, some to /var/log/<daemon_name>. Some distros use the daemon name, some store them in the base directory. If all logs were written via syslog - as they ought to be - there would be no problem. Given that logs are written either by a logger like rsyslog, or directly, with a config file (ugh!), or (even ughgier!) to a hard-coded file, I realise that some config would be necessary, but don't see what would break, nor why being organised is a bad thing.
– Graham Nicholls
Jun 5 at 13:37
They are the same - /var/log/<daemon_name> is the same for everyone using <daemon_name>. yada yada yada ...
– Iain
Jun 5 at 13:46
They are the same - /var/log/<daemon_name> is the same for everyone using <daemon_name>. yada yada yada ...
– Iain
Jun 5 at 13:46
No, it's not. It's distribution and site - dependent. It's arbitrary, and there's no standard, which is, I suppose, what I'm suggesting.
– Graham Nicholls
Jun 6 at 7:21
No, it's not. It's distribution and site - dependent. It's arbitrary, and there's no standard, which is, I suppose, what I'm suggesting.
– Graham Nicholls
Jun 6 at 7:21
add a comment |
1 Answer
1
active
oldest
votes
Yes, log files and config files are a mess. That's what happens every software project invents their own. Then opinionated sysadmins package them up into Linux distros, and doing unprivileged logging sometimes requires a directory with special permissions.
I'm not going to enumerate everything that you would have to change to restructure /var/log arbitrarily, but here are some categories:
- Configuration files logging there, including logrotate.
- Compiled in paths. I don't know where exactly in the auth stack /var/log/lastlog is configured.
- Security build including file permissions and SELinux. Something is labeling logrotate as lastlog_t on CentOS.
- Documentation of the differences from the distro and the Linux FHS. Just because FHS says /var/log/messages is the syslog file doesn't make it happen, but it is documented precedent.
Do what you want. Personally, I'm not going to mess with it when I can grep through files recursively. Or search a systemd journal. Or even better, forward logs to a central search engine.
answered Jun 5 at 10:12
John MahowaldJohn Mahowald
10.9k1714
This could be one of the advantages of systemd - I'm not a fan in general, but it could make this issue moot.
– Graham Nicholls
Jun 5 at 13:39
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970100%2flinux-var-log-organisation-using-logrotate-and-rsyslog-without-breaking-impor%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes, log files and config files are a mess. That's what happens every software project invents their own. Then opinionated sysadmins package them up into Linux distros, and doing unprivileged logging sometimes requires a directory with special permissions.
I'm not going to enumerate everything that you would have to change to restructure /var/log arbitrarily, but here are some categories:
- Configuration files logging there, including logrotate.
- Compiled in paths. I don't know where exactly in the auth stack /var/log/lastlog is configured.
- Security build including file permissions and SELinux. Something is labeling logrotate as lastlog_t on CentOS.
- Documentation of the differences from the distro and the Linux FHS. Just because FHS says /var/log/messages is the syslog file doesn't make it happen, but it is documented precedent.
Do what you want. Personally, I'm not going to mess with it when I can grep through files recursively. Or search a systemd journal. Or even better, forward logs to a central search engine.
answered Jun 5 at 10:12
John MahowaldJohn Mahowald
10.9k1714
This could be one of the advantages of systemd - I'm not a fan in general, but it could make this issue moot.
– Graham Nicholls
Jun 5 at 13:39
add a comment |
Yes, log files and config files are a mess. That's what happens every software project invents their own. Then opinionated sysadmins package them up into Linux distros, and doing unprivileged logging sometimes requires a directory with special permissions.
I'm not going to enumerate everything that you would have to change to restructure /var/log arbitrarily, but here are some categories:
- Configuration files logging there, including logrotate.
- Compiled in paths. I don't know where exactly in the auth stack /var/log/lastlog is configured.
- Security build including file permissions and SELinux. Something is labeling logrotate as lastlog_t on CentOS.
- Documentation of the differences from the distro and the Linux FHS. Just because FHS says /var/log/messages is the syslog file doesn't make it happen, but it is documented precedent.
Do what you want. Personally, I'm not going to mess with it when I can grep through files recursively. Or search a systemd journal. Or even better, forward logs to a central search engine.
answered Jun 5 at 10:12
John MahowaldJohn Mahowald
10.9k1714
This could be one of the advantages of systemd - I'm not a fan in general, but it could make this issue moot.
– Graham Nicholls
Jun 5 at 13:39
add a comment |
Yes, log files and config files are a mess. That's what happens every software project invents their own. Then opinionated sysadmins package them up into Linux distros, and doing unprivileged logging sometimes requires a directory with special permissions.
I'm not going to enumerate everything that you would have to change to restructure /var/log arbitrarily, but here are some categories:
- Configuration files logging there, including logrotate.
- Compiled in paths. I don't know where exactly in the auth stack /var/log/lastlog is configured.
- Security build including file permissions and SELinux. Something is labeling logrotate as lastlog_t on CentOS.
- Documentation of the differences from the distro and the Linux FHS. Just because FHS says /var/log/messages is the syslog file doesn't make it happen, but it is documented precedent.
Do what you want. Personally, I'm not going to mess with it when I can grep through files recursively. Or search a systemd journal. Or even better, forward logs to a central search engine.
answered Jun 5 at 10:12
John MahowaldJohn Mahowald
10.9k1714
Yes, log files and config files are a mess. That's what happens every software project invents their own. Then opinionated sysadmins package them up into Linux distros, and doing unprivileged logging sometimes requires a directory with special permissions.
I'm not going to enumerate everything that you would have to change to restructure /var/log arbitrarily, but here are some categories:
- Configuration files logging there, including logrotate.
- Compiled in paths. I don't know where exactly in the auth stack /var/log/lastlog is configured.
- Security build including file permissions and SELinux. Something is labeling logrotate as lastlog_t on CentOS.
- Documentation of the differences from the distro and the Linux FHS. Just because FHS says /var/log/messages is the syslog file doesn't make it happen, but it is documented precedent.
Do what you want. Personally, I'm not going to mess with it when I can grep through files recursively. Or search a systemd journal. Or even better, forward logs to a central search engine.
answered Jun 5 at 10:12
John MahowaldJohn Mahowald
10.9k1714
answered Jun 5 at 10:12
John MahowaldJohn Mahowald
10.9k1714
answered Jun 5 at 10:12
John MahowaldJohn Mahowald
10.9k1714
answered Jun 5 at 10:12
John MahowaldJohn Mahowald
10.9k1714
10.9k1714
This could be one of the advantages of systemd - I'm not a fan in general, but it could make this issue moot.
– Graham Nicholls
Jun 5 at 13:39
add a comment |
This could be one of the advantages of systemd - I'm not a fan in general, but it could make this issue moot.
– Graham Nicholls
Jun 5 at 13:39
This could be one of the advantages of systemd - I'm not a fan in general, but it could make this issue moot.
– Graham Nicholls
Jun 5 at 13:39
This could be one of the advantages of systemd - I'm not a fan in general, but it could make this issue moot.
– Graham Nicholls
Jun 5 at 13:39
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970100%2flinux-var-log-organisation-using-logrotate-and-rsyslog-without-breaking-impor%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Feel free to do what suits you but be aware that pretty much everyone else works with what they have. What they have, is pretty much the same as everyone else. There is a whole internet full of people who write interesting and useful stuff based on what everyone has. Being different in this case probably isn't a good thing.
– Iain
Jun 5 at 13:08
Everyone isn't the same. Some logs are written to /var/log directly, some to /var/log/<daemon_name>. Some distros use the daemon name, some store them in the base directory. If all logs were written via syslog - as they ought to be - there would be no problem. Given that logs are written either by a logger like rsyslog, or directly, with a config file (ugh!), or (even ughgier!) to a hard-coded file, I realise that some config would be necessary, but don't see what would break, nor why being organised is a bad thing.
– Graham Nicholls
Jun 5 at 13:37
They are the same - /var/log/<daemon_name> is the same for everyone using <daemon_name>. yada yada yada ...
– Iain
Jun 5 at 13:46
No, it's not. It's distribution and site - dependent. It's arbitrary, and there's no standard, which is, I suppose, what I'm suggesting.
– Graham Nicholls
Jun 6 at 7:21