It’s been 2 hours now, and I’m still looking for this on Google.
I have the latest and mininmal install of AlmaLinux. I just added httpd.
Can someone tell me if logrotate is needed? I’m a bit lost between systemd/journald and logrotate…
Installing httpd made a “httpd” file in logrotate.d. But logrotate itself is not installed by default.
So, are my logs in /var/log/httpd/* (access.log and error.log) going to be rotated? Or maybe systemd/journald takes that logrotate.d/httpd conf file in charge somehow ?
Anyway, I’m looking forward for an answer. I’m going mad
hi,
in the old days there only was some kind of syslogd. it was listening on /dev/log and everyone who wanted to log something wrote to /dev/log.
in a default rhel8 system you have systemd-journald and syslogd (rsyslog to be specific). rsyslog is not longer listening to /dev/log, systemd-journald is, which means that every message logged is going to systemd-journald. per default the systemd journals are not persistent, i.e. after a reboot the journal is lost. Here comes rsyslog into play, it has an interface to systemd-journald and is distributing the log messages into logfiles.
logmessages of the current boot are in the journal (written by systemd-journald) and in the logfiles (written by rsyslog)
but: some applications (like apache) don’t log to /dev/log but are writing the files itself!
logrotate is acting on the logfiles written by rsyslog or on logfiles written by applications like apache. logrotate is not rotating the systemd journal.
Yes, you need logrotate (or something similar) if you want to rotate the logs.
You could script it yourself, and run the script from cron, but honestly, it’s easier to just use logrotate.
The defaults in the logrotate.d are probably fine, but you can always adjust them to suit your needs - time(s) at which files are rotated and how many old files to keep.
The “postrotate” part is important.
With Unix based systems when a process has a file open, you can “delete” or "rename"that file, but all that does is to remove the name, or change the name. The file (now anonymous, or re-named) continues to exist, and the file descriptor that the process has to access that file is still attached to the underlying file, so it will continue to write to it.
The HUP signal sent to (most) applications with log files is interpreted by that application as a signal to close the existing log files and open new ones.
There are three crtical filesystems on your operating system that you have to manage space constraints for: 1) / (root), 2) /tmp, and 3) /var where /var/log and /var/log/audit may exist as directories OR might be separated out as extra filesystems.
If they fill up you run the risk of potential system issues.
If you are running a Linux OS and it has been hardened; with AIDE enabled and AUDITD configured and enabled, then you really have to watch out for the /var/log and /var/log/audit filesystems getting saturated to 100%. If this happens then your OS will shutdown to run-level 1 (single-user mode) where/when no applications or services will be allowed to continue to execute.
So, using logrotate helps keep a lot of standard logfiles managed to a small volume and small quantity; reducing overall filesystem usage.
Thanks everyone for your answers.
I know I have to worry about the log files and disk space. But I also thought that systemd and journald took care about that. Since SystemD replaced SystemV, I was all wrong…
But that’s my fault… When systemD arrvied, I didn’t take time to at it and trying to understand how it works.
I should look for documentation
