karl@xxxxxxxxxxxxxx wrote:
Hi,
The requirement is simple enough:
"rotate the logs every day and name them by date, keep the plain filename
for the current running log (cache.log, access.log) keep them for 60 days,
no compression, NO restart of squid due to high traffic load".
e.g. an "ls -al" in my logs dir the "day after" I get this right would
look like:
access.log (active log -we use multitail, keep name!)
cache.log (active log)
20061003_access.log (archived)
20061003_cache.log (archived)
Do you want the logfiles named with the date of the data they contain,
or the date they were rotated? No matter. See below.
Having read man pages, searched your mail archives and found a great deal
of useful info, as well as the well-organized FAQ, it's still vague as to
the relationship logrotate script, and squid -k rotate share.
After querying the centos list OT on this, and getting completely opposite
answers from my fellow sysadmins there, it's clear that not too many
people actually understand how all of this works, probably the 'two
different projects' element.
My question is simple: Which files *only* do I need to edit to get my
stated requirement into action?
Modify the three following files...
/etc/squid.conf
/etc/logrotate.d/squid
/etc/cron.daily/tmpwatch
...as indicated below.
My homework thus far on this is as follows:
Known Files:
/etc/squid.conf
/etc/crontab
/etc/cron.daily/logrotate
/etc/logrotate.conf
/etc/logrotate.d/squid
1. Edit, or do not bother to edit cron via crontab -e and simply make an
entry for every night and execute /usr/sbin/squid -k rotate like this:
30 11 * * * /etc/rc.d/init.d/squid -k rotate
2. Don't bother editing crontab -e, just let /etc/cron.daily/logrotate
invoke /etc/logrotate.d/squid which looks like this (snipped for clarity):
/var/log/squid/access.log {
daily
rotate 60 # should this be "keep 60"?
"rotate" is the correct directive. The number after depends on if you
want to use logrotate to maintain your logs or not. Since it seems that
you want to rename the logs (which logrotate can be told to do, but
won't track the new log name), this directive doesn't really matter.
Leave it in, leave it out, leave it alone, just don't set it to "rotate 0".
copytruncate
For what it's worth, copytruncate copies the log to a new file and
clears out the old file. The inode never changes on the current log
file, so Squid shouldn't really need to be told to rotate. Doing so is
just cheap insurance. From the logrotate man page...
Note that there is a very small time slice between copying the file and
truncating it, so some logging data might be lost.
... If the chance of lost logging data is a concern, create a script
using the postrotate section below, call it from crontab, and set
logfile_rotate greater than 0 in squid.conf. It all depends on your
paranoia level.
notifempty
missingok
}
# This script asks squid to rotate its logs on its own.
postrotate
/usr/sbin/squid -k rotate
Add the following lines...
#Get current date
DATESTAMP=$(date -d yesterday +%Y%m%d)
# Archive yesterday's log
/bin/mv /var/log/squid/access.log.1 /var/log/squid/$DATESTAMP_access.log
/bin/mv /var/log/squid/cache.log.1 /var/log/squid/$DATESTAMP_cache.log
...adjusting the indent to taste. Remove the "-d yesterday" from the
date command to name the logs with the "today's" date (perhaps that's
obvious).
endscript
}
3. Turn off log rotation in squid.conf (done)
If by turning off log rotation in Squid, you mean setting the
logfile_rotate directive to 0 (logfile_rotate 0), good.
4. Turn on, don't turn on 'postrotate' by calling it in
/etc/logrotate.d/squid and invoking /usr/sbin/squid -k rotate.
Use the post rotate script shown above.
5. -k rotate when invoked doesn't stop squid, it just issues USR1 and you
don't have to worry about squid itself stopping (whew).
At this point, we have the logs rotating, but we are not removing old
logs (since they have been renamed, logrotate doesn't know about them).
Luckily, there is a nifty utility called tmpwatch that will do this for
us, and it's likely already running on your system.
Add the following lines to /etc/cron.daily/tmpwatch (or create said file
with the following lines)...
# Remove files from /var/log/squid that were changed (created, modified,
whatever) more than 60 days ago
/usr/sbin/tmpwatch -c 1440 /var/log/squid
----
p.s. If anyone knows of a logrotate list i'd like to ask them some
questions also:
A. Does logrotated run automatically in centos or do I need to invoke
with cron or chkconfig?
A default CentOS install will have a file "/etc/cron.daily/logrotate"
which calls the logrotate process on a daily basis at around 4:02 in the
morning (depending on how long other cron jobs take to complete).
B. For those interacting with squid only, do you need to delete the other
files present under /etc/logrotate.d/ to in effect "turn them off"?
That is one way. Another is to edit /etc/logrotate.conf and comment out
(or delete) the line "include /etc/logrotate.d". I would advise against
doing either, as your system logs would grow without bounds without this
process (or another). Most logrotate scripts are set up to not rotate
empty or missing logs. Mess with this at your own risk.
Thanks alot of any input, -we really enjoy using your caching server
technology, it's been a great benefit to our business. I've made sure to
donate to your project in the past and look forward to helping out in the
future.
-karl
Chris