Which script rotates /var/log/auth.log?

I cannot figure out where /var/log/auth.log is rotated.

I found the file /var/log/auth.log.2013-09-16 on my system, which contains log entries previously found in /var/log/auth.log. Where does that file come from?

I added the -d -D '%Y-%m-%d' options to the savelog call in /etc/cron.daily/sysklog and the options dateext and dateformat .%Y-%m-%d to /etc/logrotate.conf, but I do not know why this should affect how auth.log is rotated.

Places that I have investigated:

• $ grep auth /etc/logrotate.d/* produces no match
• $ grep auth /etc/logrotate.conf produces no match

• /etc/cron.daily/sysklog has the following to say about rotation:

  for LOG in $(syslogd-listfiles)
  do
     if [ -s $LOG ]; then
        savelog -g adm -m 640 -u ${USER} -c 7 -d -D '%Y-%m-%d' $LOG \
          > /dev/null
     fi
  done
  

  but $ syslogd-listfiles only lists /var/log/syslog as candidate for rotation.

• Other calls to savelog in /etc and its subdirectories rotate history files in registered CVS directories, /var/log/boot and aptitude.pkgstates.

• $ crontab -l lists some entries for scripts in /opt/psa/libexec/modules/watchdog/cp/ (I assume they come from Plesk Panels). However, I don't think they are responsible, because the files in question used to be named with a numeric extension until I added the -d -D '%Y-%m-%d' options to the savelog call in /etc/cron.daily/sysklog and the options dateext and dateformat .%Y-%m-%d to /etc/logrotate.conf.

I am using Ubuntu 12.04 with Plesk Panels (see edited question). I added -d -D '%Y-%m-%d' to the savelog call in /etc/cron.daily/sysklog and the options dateext and dateformat .%Y-%m-%d to /etc/logrotate.conf. This would explain the different file name, if auth.log where actually affected by those changes. I don't know why auth.log should be affected, though.

Is it a physical machine or some kind of virtual machine, container or similar? I've quickly checked some of our servers: The "physical" servers take care of auth.log with logrotate, similar to what described about my desktop machine above. On servers installed as containers on a ProxmoxVE cluster, I can't find any reference to rotating auth.log in all of /etc, and they're still rotated. I'd assume the virtual host is doing the deed, maybe in your case it's something similar.

It's a VPS based on Virtuozzo. My hosting provider has assured me that the host system does not rotate my log files.

I'm not familiar with Virtuozzo, but according to this knowledge base entry there's another set of logrotate config files under /usr/local/psa/etc/logrotate.d. Not sure whether the entry refers to the Parallels product your provider is using, or whether this a Virtuozzo or a Plesk thing, but I'd deem it worth a look.

No hints as to how auth.log is rotated in that directory, either. However, I found /etc/logrotate.d/rsyslog rotating auth.log in a fresh installation of Ubuntu 12.04 on my laptop. This leads me to believe that indeed Virtuozzo is responsible and I will investigate further along this path.