9

I cannot figure out where /var/log/auth.log is rotated.

I found the file /var/log/auth.log.2013-09-16 on my system, which contains log entries previously found in /var/log/auth.log. Where does that file come from?

I added the -d -D '%Y-%m-%d' options to the savelog call in /etc/cron.daily/sysklog and the options dateext and dateformat .%Y-%m-%d to /etc/logrotate.conf, but I do not know why this should affect how auth.log is rotated.

Places that I have investigated:

  • $ grep auth /etc/logrotate.d/* produces no match
  • $ grep auth /etc/logrotate.conf produces no match

  • /etc/cron.daily/sysklog has the following to say about rotation:

    for LOG in $(syslogd-listfiles)
do
   if [ -s $LOG ]; then
      savelog -g adm -m 640 -u ${USER} -c 7 -d -D '%Y-%m-%d' $LOG \
        > /dev/null
   fi
done

    but $ syslogd-listfiles only lists /var/log/syslog as candidate for rotation.

  • Other calls to savelog in /etc and its subdirectories rotate history files in registered CVS directories, /var/log/boot and aptitude.pkgstates.

  • $ crontab -l lists some entries for scripts in /opt/psa/libexec/modules/watchdog/cp/ (I assume they come from Plesk Panels). However, I don't think they are responsible, because the files in question used to be named with a numeric extension until I added the -d -D '%Y-%m-%d' options to the savelog call in /etc/cron.daily/sysklog and the options dateext and dateformat .%Y-%m-%d to /etc/logrotate.conf.

Oswald
  • 191

2 Answers2

11

At least on my Ubuntu 13.04 installation (physical machine, desktop edition), auth.log is rotated by logrotate as defined in /etc/logrotate.d/rsyslog. This is correctly found by grep auth /etc/logrotate.d/*. The rotated files get named as usual auth.log, auth.log.1, auth.log.2.gz and so forth. This is, as far as I can tell, the default way of handling the auth log. Maybe you're using a customized version of Ubuntu.

Henning Kockerbeck
  • 8,502
0

I'm also using 12.04 on Virtuozzo. I think the container setup uses the older mechanism from sysklogd for rotating (i.e. sysklogd in /etc/cron.daily), so:

$ syslogd-listfiles
/var/log/syslog

but,

$ syslogd-listfiles --weekly
/var/log/user.log
/var/log/daemon.log
/var/log/messages
/var/log/debug
/var/log/auth.log
/var/log/mail.log
/var/log/kern.log
/var/log/lpr.log

So I think that's correct. (Note: I've dumped the split mail.* logging which double logs everything to mail.info and mail.log)

However, I noticed that my VM was missing the /etc/cron.weekly/sysklogd job so had to add it manually.

The other thing you might fall foul of is syslogd-listfiles has some extra checks to exclude very small log files from rotation. So if nothing's being logged, they won't be rotated.

Mike
  • 108