running newsyslog fiveminly

Eugene Grosbein egrosbein at rdtc.ru
Wed Sep 7 11:27:28 UTC 2011 

07.09.2011 17:08, Jeremy Chadwick writes:

>> After reading newsyslog code, now it's obvious it just ignores minutes and seconds
>> while making decision if a file should be rotated. It looks at hours only.
>> That's sad.
> 
> I imagine this "design limitation" is due to the fact that newsyslog is
> called from cron, which only supports minute-level granularity.
> 
> The newsyslog.conf man page even hints at this while describing the
> "when" column:
> 
>     There is no provision for the specification of a timezone.  There
>     is little point in specifying an explicit minutes or seconds com-
>     ponent in the current implementation, since the only comparison
>     is ``within the hour''.
> 
> Given this, I would say the "special" 3600-second value within the
> source code makes sense.
> 
> I'm not sure what you could use for an alternate method of log rotation
> for syslog-logged data.

I have just followed some of past advices and split my newsyslog.conf in two,
moving mpd-like logs with size-based rotation only to /etc/newsyslog-quick.conf.
And made another cron job for fiveminly running newsyslog -f /etc/newsyslog-quick.conf

> I think what the rest of the world might tell you is something to the
> effect of "you can't have your cake and eat it too".  You've got
> diskless systems that aren't syslogging via network (e.g. to a pool of
> syslog servers, or a single syslog server) but instead to a
> memory-backed filesystem, in addition to enabling debug-level logging in
> mpd by default.
> 
> A memory-backed filesystem means you don't have much disk space, and you
> know this based on the need to rotate logs every 5 minutes, right?  So
> I'm confused why one would need debug logging.  I imagine that the
> newsyslog.conf on these machines has a very small number for the "count"
> column for /var/log/mpd.log.  So chances are, by the time you noticed a
> problem, the logs would have been rotated and removed, no?  So why the
> debug logging?
> 
> If debug logging really is something you absolutely need, no argument
> about it, then honestly it sounds like you need some sort of
> "centralised" logging infrastructure for all of these diskless machines.
> Most diskless machines I've used utilise some form of centralised
> "something" -- whether it be a centralised DHCP/PXE server (which you
> obviously have in some form), or an NFS-mounted root or /home, etc...
> You get the idea.  Could you deploy similar infrastructure for syslog
> and simply use a remote syslog server in syslog.conf?

In fact, I do have centralized syslogd server that collects logs
from diskless servers. But, I need also local copies of individual
server's logs in the MFS. I was in hope to make it with one cron job
and one newsyslog.conf but as it seems impossible, I will use two cron jobs :-)

Local (compressed) logs residing on the MFS give me convinience to manage and debug
a server within one ssh session without need to consult with remote syslog archives.
In general, I do have enough MFS space to keep needed backlog
but in case of network PPPoE PADI broadcast storms I need quick rotation to prevent
MFS overflows. I think I'll get all of this now.

Eugene Grosbein

More information about the freebsd-stable mailing list