Author Topic: [How-to] Limit the size of .log files & the journal:  (Read 7431 times)

0 Members and 1 Guest are viewing this topic.

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #15 on: 16. August 2013, 09:34:58 »
I've installed logwatch, which looks like it would be a great way to see all errors from yesterday's (or any that you tell it to) logs printed out on your terminal screen. But it won't work for me?

I've tried the following command (& others):

Code: [Select]
logwatch --range all --detail High --print | less
But all I get is the page of --help output. I don't think it is because there are no errors, as I think that there is at least one that it should spit out, particularly with the --detail High options set.

I've gone through the /etc/logwatch/conf/logwatch.conf file (more than once) & it really should be good to go.

I'd really like to have logwatch working, as it is far more suitable to the task than any of the other log file analyzers that I've investigated, it is also in the official repo's & it is much lighter to install than the others & cough cough, easier to set up.
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #16 on: 16. August 2013, 10:00:37 »
The logcheck application works when I test it with the following command:

Code: [Select]
sudo -u logcheck logcheck -o -t
But it gives me much more than I want to see, which means learning how to configure its filters, which is so much easier with logwatch.

The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #17 on: 16. August 2013, 10:33:12 »
I went through the /etc/logcheck/logcheck.conf & ran the following command:

Code: [Select]
sudo -u logcheck logcheck -o -t
Which gave a far more reasonable output:

Code: [Select]
[handy@jarmano ~]$ sudo -u logcheck logcheck -o -t
This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

System Events
=-=-=-=-=-=-=
Aug 16 18:01:14 localhost su: pam_unix(su:session): session closed for user logcheck
Aug 16 18:01:16 localhost crond[448]: 2013-08-16 18:01:15 1VAEyB-0000kF-1G User 0 set for local_delivery transport is on the never_users list
Aug 16 18:02:06 localhost su: pam_unix(su:session): session opened for user root by handy(uid=1000)
Aug 16 18:20:01 localhost udisks-daemon[630]: **** Refreshing ATA SMART data for /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda
Aug 16 18:20:01 localhost udisks-daemon[630]: helper(pid  5300): launched job udisks-helper-ata-smart-collect on /dev/sda
Aug 16 18:20:01 localhost udisks-daemon[630]: **** Refreshing ATA SMART data for /sys/devices/pci0000:00/0000:00:1f.2/ata2/host1/target1:0:0/1:0:0:0/block/sdb
Aug 16 18:20:01 localhost udisks-daemon[630]: helper(pid  5301): launched job udisks-helper-ata-smart-collect on /dev/sdb
Aug 16 18:20:02 localhost udisks-daemon[630]: helper(pid  5300): completed with exit code 0
Aug 16 18:20:02 localhost udisks-daemon[630]: **** EMITTING CHANGED for /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda
Aug 16 18:20:02 localhost udisks-daemon[630]: helper(pid  5301): completed with exit code 0
Aug 16 18:20:02 localhost udisks-daemon[630]: **** EMITTING CHANGED for /sys/devices/pci0000:00/0000:00:1f.2/ata2/host1/target1:0:0/1:0:0:0/block/sdb

A number of the lines in the above are quite repetitive in my log(s), so logchecker looks like it may be what I'll use each day to look at the previous days errors. This will work in quite well with the way that I'm doing daily log rotation.

I'll look at making a script or something to automatically give me a display when I login.

The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #19 on: 17. August 2013, 02:50:38 »
I'm running the following logcheck command:

Code: [Select]
sudo -u logcheck logcheck -o -t
in my ~/.bashrc which causes Terminator to present me with a password request when it is first opened. If I want to see the output of logcheck I enter the password, if I don't I just hit Ctrl & C to terminate the process.

I have Terminator set to autostart on Desktop 5 when Openbox starts, so I will normally only be bothered by this request from logcheck once a day, which should work out fine.
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #20 on: 19. August 2013, 05:23:41 »
logcheck starting each boot quickly becomes a pain in the neck. So just creating an alias for it in your ~/.bashrc is a much more convenient solution:

Code: [Select]
alias logcheck="sudo -u logcheck logcheck -o -t"
Back to the logrotate topic:

As I suspected the numbering of the /var/log/old/.gz files doesn't work properly. I don't know how to fix that, so I've changed the /etc/logrotate.d/rotate.logs script so that it leaves the .gz files in .../log/

I've modified the wiki to suit.

Also, I've dumped the hourly check idea posted a few posts or so back. The size of the log files will be controlled by deleting them after a week or so, & things are simpler this way.
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #21 on: 19. August 2013, 07:22:33 »
I watched a video by Lennart on systemd's journal:

https://www.youtube.com/watch?v=i4CACB7paLc

Am I allowed to link this? I don't know...

Anyway, in his presentation (he talks very fast & you can't read anything much on the projected to screens), he uses a post on his blog for reference in the latter part of the tutorial, which I noticed & searched out:

http://0pointer.de/blog/projects/journalctl.html

Using the info in that blog page I've been playing with the journal & have to say that I'm pretty impressed. The journal &/or associated programs have been unreliable during the ongoing development process. It seems that things are functioning well at the moment.

I expect that before too long (I'll finish testing on logrotate for the wiki first) I'll probably remove syslog-ng from my system & have no logs beyond the journal.

Surprises me too!   

[edit:] I can see that you could setup some aliases in .bashrc to make using journalctl very quick & simple (& to save my memory atleast). The journalctl -b -p -err command gives you all errors since the last system boot (see attached screenshot) so you don't need to run log monitoring tools like logwatch & the like, as journalctl will look at whatever services you point it at (if that's what you want it to look at), over whatever time frame you specify. It always shows errors in red, which really makes looking for errors in your logs so much easier.

It does a pile of other things too, most of which most of us will never need to know about. I do like the idea of getting rid of most of the /var/log/*log files though & the journal has won me.
« Last Edit: 19. August 2013, 14:16:56 by handy »
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #22 on: 19. August 2013, 08:45:09 »
Further on the previous post:

I updated the wiki with a quick reference to the journalctl options that we would find more generally useful, & such. It gives people all the tools they need to investigate the journal & decide whether they want to use syslog-ng to create (most of) the logs that are in their /var/log/ directory or not.

[edit:] Which means, if you are happy with what you can do with the journalctl [options] command, you can delete syslog-ng & not have to worry about all but a few log files in the /var/log/ directory.

I'll write on removing syslog-ng & whatever is related to that after I finish testing the logrotate stuff.
« Last Edit: 19. August 2013, 14:19:16 by handy »
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline Menelaos

  • Vollwertiges Mitglied
  • ***
  • Posts: 186
  • Branch: stable
  • Desktop: OpenBox
  • GPU Card: NVIDIA GF108 [GeForce GT 630]
  • GPU driver: non-free
  • Kernel: Linux 3.10.11-1 Manjaro
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #23 on: 23. August 2013, 20:25:23 »
ok my favourite way was to go and do it manually cos script and commands didn't do the trick for me. but i want to ask something, journal keeps making those folders, dose that mean that at some point we will have to go there and delete some to free space? i mean it is set to 20M but there is no limit on the number of files it creates...

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #24 on: 24. August 2013, 01:48:08 »
@Menelaos: I don't know whether you have had a look at the wiki (since it was updated & there have been a few updates) or not. There are now quite a few commands there in the journal section that show how to get the journal to show you a variety of things. The journal works really well at doing this, to the point that I just removed syslog-ng (which also removes eventlog from my system & deleted all but the Xorg.0.log files from my /var/log directory. Some of the the logs that I deleted will be recreated again.

Everything I need to know about my system is easier to access with the journal by using the commands that I posted in the wiki. Seeing errors is just so easy (it prints them out in red!).

So give some of those journelctl commands a try & see you think?

http://wiki.manjaro.org/index.php?title=Limit_the_size_of_.log_files_%26_the_journal#The_Journalctl_command_-_a_quick_reference_.5B1.5D

Also, the journal controls how much disk space it takes up & will delete its oldest additions to make sure that it doesn't take up too much free space. So if setting its max size doesn't work for you, the journal will never cause your system problems due to it gobbling up all of your drive space.

This is from its man page:

Quote
SystemMaxUse= and RuntimeMaxUse= control how much disk space the journal may use up at maximum. Defaults to 10% of the size of the respective file system. SystemKeepFree= and RuntimeKeepFree= control how much disk space systemd-journald shall always leave free for other uses. Defaults to 15% of the size of the respective file system. systemd-journald will respect both limits, i.e. use the smaller of the two values.

I've found that with the setting of SystemMaxUse=50M in /etc/journal.conf that when the size goes over 50MB it can take a few days before it trims it down to ~30MB again.
« Last Edit: 24. August 2013, 02:01:40 by handy »
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #25 on: 24. August 2013, 03:02:25 »
After removing syslog-ng & the deleting all but Xorg.0.log from /var/log I rebooted & many of the log files have been recreated. I can't find any useful info on this, so I'm going to have to ask Phil what's going on in the background that creates these logs to see if I can turn off the creation of most of these log files.
« Last Edit: 24. August 2013, 03:10:29 by handy »
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #26 on: 25. August 2013, 01:37:00 »
OK, now I understand why the log files after I had deleted them all were being recreated on reboot.

Following is a my question & Phil's answer:

Quote
Quote from: handy on Yesterday at 11:09:25Hi Phil,

Sorry to bother you, I know you don't have enough time to do all the things that you want to. (life goes fast like that!)

I have a problem that I can't find any useful information about when searching the web. I think you know the answer, the question is here:

http://forum.manjaro.org/index.php?topic=6050.msg55914#msg55914

I'm trying to turn off the creation of as many log files as I can & just use the journal. I can't turn off most of the logs, even though I've deleted syslog-ng (& its friend)?

Having learned about the journal I wonder why Manjaro uses syslog-ng & has all but Xorg.0.log & a few others I guess, at all? The journal really is so much easier to use.

Phil's reply:
Quote
Arch is still based on the old systemlog-ng. Fedora will use journal in 20. Arch will adopt it. We can try to adopt it earlier. I've to read the thread and try it myself. It won't happen for 0.8.7 since I will build the final images later today. I might add it as a feature for 0.8.8. So consider it on my todo-list.

So, at this stage we can't stop the log files from being created by deleting syslog-ng, as you can't do that on Arch yet either. Though we may get there before Arch does if Phil has the time to sort it.

I guess in the meantime I could work something out that uses logrotate to check hourly & delete any logs that have been created. That could be fun. :)
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #27 on: 25. August 2013, 03:09:04 »
This post shows where I'm up to in my effort to remove all of the /var/log/*log files.

First be sure to have removed syslog-ng from your system, use pacman or whatever GUI you use for the job.

I've modified the /etc/logrotate.conf like so:

Code: [Select]
#!/bin/sh

# see "man logrotate" for details
# rotate log files daily
daily

# keep 0 weeks worth of backlogs
rotate 0

# restrict maximum size of log files
size 01M

# create new (empty) log files after rotating old ones
#create

# copy the original file to new file then empty the original
#copytruncate

# uncomment this if you want your log files compressed
#compress

# Logs are moved into directory for rotation
#olddir /var/log/old

# Ignore pacman saved files
tabooext + .pacorig .pacnew .pacsave

# Arch packages drop log rotation information into this directory
include /etc/logrotate.d

/var/log/wtmp {
    weekly
    create 0664 root utmp
    minsize 512K
    rotate 0
}

/var/log/btmp {
    missingok
    weekly
    create 0600 root utmp
    rotate 0
}

The above doesn't interfere with the /etc/logrotate.d/rotate.logs script as files in /etc/logrotated.d take precedence.

I'm calling the above file every hour via the logrotate /etc/logrotate.conf command in /etc/cron.hourly like so:

Code: [Select]
#!/bin/sh

# nicenesses range from -20 (most favorable scheduling) to 19 (least favorable)
NICE=19

# 0 for none, 1 for real time, 2 for best-effort, 3 for idle
IONICE_CLASS=2

# 0-7 (for IONICE_CLASS 1 and 2 only), 0=highest, 7=lowest
IONICE_PRIORITY=7

CMD_LOGROTATE="/usr/bin/logrotate /etc/logrotate.conf"

if [ -x /usr/bin/nice ]; then
  CMD_LOGROTATE="/usr/bin/nice -n ${NICE:-19} ${CMD_LOGROTATE}"
fi

if [ -x /usr/bin/ionice ]; then
  CMD_LOGROTATE="/usr/bin/ionice -c ${IONICE_CLASS:-2} -n ${IONICE_PRIORITY:-7} ${CMD_LOGROTATE}"
fi

${CMD_LOGROTATE}

exit 0

The hourly run of /etc/logrotate.conf calls /etc/logrotate.d/rotate.logs I called it rotate.logs you can call it whatever you want.

Code: [Select]
/var/log/*log {
 hourly
 rotate 0         # keep no backup
 missingok
 postrotate
    files=$(ls /var/log | grep -v Xorg) && for line in $files; do rm /var/log/$line; done
 endscript
  }


Every hour the above set up should delete all files with names ending in log . This saves space & clutter, the journal is so much easier & more effective to use. (See the wiki.)
« Last Edit: 25. August 2013, 06:57:21 by handy »
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #28 on: 25. August 2013, 06:52:47 »
I found that after deleting the /var/log files a 2nd time, I now only have five that recreate themselves & that is fine by me. The five are Xorg.0.log Xorg.0.old btmp lastlog wtmp .

So all the mucking about I went to, to run a script via logrotate every hour looks to be a waste of time. Time will tell though.

dcell helped me out by providing a command that will preserve Xorg.0.log but delete the other log files in the /var/log directory. So this is how the /etc/logrotate.d/rotate.logs file would look if the deleted log files don't stay away after being deleted:

Code: [Select]
/var/log/*log {
 hourly
 rotate 0
 missingok
 postrotate
    files=$(ls /var/log | grep -v Xorg) && for line in $files; do rm /var/log/$line; done
 endscript
  }

I've added the above script block to the previous post that has all of the other things that are needed to be done so as to run this script every hour.
« Last Edit: 25. August 2013, 06:59:14 by handy »
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: [How-to] Limit the size of .log files & the journal:
« Reply #29 on: 15. January 2014, 06:12:52 »
I just added the following to the wiki page associated with this thread, it will be helpful if people use this info' when pasting errors to the forum:
______________

Following is the above command with its output sent to a file called -ERRORS in your /home/<user> directory. Having the - at the beginning of the name should cause the file to be shown at the top of the list of files when viewing the contents of your ~/ (/home/<user>) directory. This command makes it easy to copy the contents of the -ERRORS file, & then paste it to the forum. Doing so allows us to display ALL of the command's output instead of only being able to cut & paste the truncated lines from our terminal:

Code: [Select]
$ Journalctl -b -p err > -ERRORS

Note:
Whether the lines from the output of the following comand:

Code: [Select]
journalctl -b -p err
are truncated in your terminal display, will depend on what your monitor's size & display settings are - resolution & font sizes in particular.
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak