Which script rotates /var/log/auth.log?
At least on my Ubuntu 13.04 installation (physical machine, desktop edition), auth.log is rotated by logrotate
as defined in /etc/logrotate.d/rsyslog
. This is correctly found by grep auth /etc/logrotate.d/*
. The rotated files get named as usual auth.log
, auth.log.1
, auth.log.2.gz
and so forth. This is, as far as I can tell, the default way of handling the auth log. Maybe you're using a customized version of Ubuntu.
Related videos on Youtube
Del Lee
Updated on September 18, 2022Comments
-
Del Lee over 1 year
I cannot figure out where
/var/log/auth.log
is rotated.I found the file
/var/log/auth.log.2013-09-16
on my system, which contains log entries previously found in/var/log/auth.log
. Where does that file come from?I added the
-d -D '%Y-%m-%d'
options to thesavelog
call in/etc/cron.daily/sysklog
and the optionsdateext
anddateformat .%Y-%m-%d
to/etc/logrotate.conf
, but I do not know why this should affect howauth.log
is rotated.Places that I have investigated:
$ grep auth /etc/logrotate.d/*
produces no match$ grep auth /etc/logrotate.conf
produces no match/etc/cron.daily/sysklog
has the following to say about rotation:for LOG in $(syslogd-listfiles) do if [ -s $LOG ]; then savelog -g adm -m 640 -u ${USER} -c 7 -d -D '%Y-%m-%d' $LOG \ > /dev/null fi done
but
$ syslogd-listfiles
only lists/var/log/syslog
as candidate for rotation.Other calls to
savelog
in/etc
and its subdirectories rotate history files in registered CVS directories,/var/log/boot
andaptitude.pkgstates
.$ crontab -l
lists some entries for scripts in/opt/psa/libexec/modules/watchdog/cp/
(I assume they come from Plesk Panels). However, I don't think they are responsible, because the files in question used to be named with a numeric extension until I added the-d -D '%Y-%m-%d'
options to thesavelog
call in/etc/cron.daily/sysklog
and the optionsdateext
anddateformat .%Y-%m-%d
to/etc/logrotate.conf
.
-
Del Lee over 10 yearsI am using Ubuntu 12.04 with Plesk Panels (see edited question). I added
-d -D '%Y-%m-%d'
to thesavelog
call in/etc/cron.daily/sysklog
and the optionsdateext
anddateformat .%Y-%m-%d
to/etc/logrotate.conf
. This would explain the different file name, ifauth.log
where actually affected by those changes. I don't know whyauth.log
should be affected, though. -
Henning Kockerbeck over 10 yearsIs it a physical machine or some kind of virtual machine, container or similar? I've quickly checked some of our servers: The "physical" servers take care of auth.log with logrotate, similar to what described about my desktop machine above. On servers installed as containers on a ProxmoxVE cluster, I can't find any reference to rotating auth.log in all of /etc, and they're still rotated. I'd assume the virtual host is doing the deed, maybe in your case it's something similar.
-
Del Lee over 10 yearsIt's a VPS based on Virtuozzo. My hosting provider has assured me that the host system does not rotate my log files.
-
Henning Kockerbeck over 10 yearsI'm not familiar with Virtuozzo, but according to this knowledge base entry there's another set of
logrotate
config files under/usr/local/psa/etc/logrotate.d
. Not sure whether the entry refers to the Parallels product your provider is using, or whether this a Virtuozzo or a Plesk thing, but I'd deem it worth a look. -
Del Lee over 10 yearsNo hints as to how
auth.log
is rotated in that directory, either. However, I found/etc/logrotate.d/rsyslog
rotatingauth.log
in a fresh installation of Ubuntu 12.04 on my laptop. This leads me to believe that indeed Virtuozzo is responsible and I will investigate further along this path.