What's new

Scribe syslog-ng logrotate no longer rotating messages file

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

juched

Very Senior Member
Just noticed today while looking at logs that my messages file hasn't been rotated and gzipped since last august.

When I ran logrotate in debug (via the su menu), I see that file is being skipped.

Code:
log /opt/var/log/messages is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.

Is this a known issue? Is there a fix/change to get rotation working again?

Thank you!
 
Ok, running scribe and "s" command, it seems to have changed something. It doesn't show that message anymore.

It did say it updated the syslog-ng.conf file and updated "checking directory links", so maybe something got messed up.

rotating pattern: /opt/var/log/messages after 1 days (9 rotations)
empty log files are not rotated, only log files >= 1048576 bytes are rotated, log files >= 4194304 are rotated earlier, old logs are removed
considering log /opt/var/log/messages
Now: 2022-02-06 23:50
Last rotated at 2022-02-03 00:00
log does not need rotating ('minsize' directive is used and the log size is smaller than the minsize value)
not running postrotate script, since no logs were rotated
 
I've never gotten scribe to rotate my opt / var / log / messages properly.

Worst of all is with a router reboot (likely a byproduct of scribe stopping and restarting), 'messages' is just wiped and started fresh... losing the actual useful info on (maybe) why it rebooted.

It also suffers from lost logs when simply restarting scribe; 'messages' is just nuked and not saved.

All the other log filters that I'm using (examples from share / examples / syslog.d) ARE rotated properly and appended to as expected upon restart.

I just did a fresh install a couple days ago. Still no rotations of 'messages'

su / ld shows (below) no errors, seeing like it should work.
Code:
rotating pattern:  / opt / var / log / messages  after 1 days (9 rotations)
empty log files are not rotated, only log files >= 1048576 bytes are rotated, log files >= 4194304 are rotated
 earlier, old logs are removed
considering log / opt / var / log / messages
  Now: 2022-06-23 10:15
  Last rotated at 2022-06-23 09:00
  log does not need rotating (log has been rotated at 2022-06-23 09:00, which is less than a day ago)
  log does not need rotating ('minsize' directive is used and the log size is smaller than the minsize value)
not running postrotate script, since no logs were rotated

I'm out of ideas.
 
The behavior is driven by the rc.func.syslog-ng file in /opt/etc/init.d. On a reboot (but not a restart), the system is logging to /tmp/syslog.log, and scribe cats that to messages. Whether messages is nuked or not depends on the > or >> in that line. THen it deletes syslog.log, forms the symlink, and starts syslog-ng. On an uninstall it deletes the symlink, so if the logrotate problem above occurs, it may be in those steps.

I thought I was the only one that nuked my messages file on a reboot, and then the boot sequence I copy into a file, that I then have syslog-ng process first, so in the WebGUI I have the complete boot sequence correctly time sequenced and time stamped. Fussy, aren't I. But first I copy it over to a different log, so I can see if there was something funky when the reboot occurred. I never cat to messages.
 
Last edited:
The behavior is driven by the rc.func.syslog-ng file in /opt/etc/init.d. On a reboot (but not a restart), the system is logging to /tmp/syslog.log, and scribe cats that to messages. Whether messages is nuked or not depends on the > or >> in that line. THen it deletes syslog.log, forms the symlink, and starts syslog-ng. On an uninstall it deletes the symlink, so if the logrotate problem above occurs, it may be in those steps.

I thought I was the only one that nuked my messages file on a reboot, and then the boot sequence I copy into a file, that I then have syslog-ng process first, so in the WebGUI I have the complete boot sequence correctly time sequenced and time stamped. Fussy, aren't I. But first I copy it over to a different log, so I can see if there was something funky when the reboot occurred. I never cat to messages.
Would you share your method? I'm rather blasé about the whole wiping the messages on reboot, but I guess other people are more interested in it. You can PM it if it reveals data you'd rather not reveal publicly.
 
It's not very elaborate. I'll post exactly when I have access to the router.

1. create a filter named "00startup" using a file source named startup.log and messages as destination, using the time processed as the timestamp. (this will be the first filter run)
2. Revise rc.func.syslog-ng to
a. rename messages as beforeboot.log so it is still around
b. cat syslog.log > startup.log
c. write "Top of log" to messages
3. Use flow control.

Continue on. Basically, the startup messages go to the file, syslog-ng starts up, processes all the startup messages and then continues on with the rest of the boot messages. Everything in messages before the boot is preserved.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top