Skip to content

Instantly share code, notes, and snippets.

@azet
Last active June 19, 2017 07:24
Show Gist options
  • Save azet/f4f0aeb849747ed505cc1d720d1bc919 to your computer and use it in GitHub Desktop.
Save azet/f4f0aeb849747ed505cc1d720d1bc919 to your computer and use it in GitHub Desktop.
PaX/grsec log rotation on production systems [file: `/etc/logrotate.d/grsec`] (Debian)
# this: `/etc/logrotate.d/grsec`.
/var/log/messages /var/log/syslog /var/log/kern.log {
daily
rotate 14
missingok
notifempty
compress
}
@azet
Copy link
Author

azet commented May 30, 2017

PaX/grsecurity adds a whole lot of -- very useful -- output to the kernel ring buffer. this behavior can fill up your / or /var partition quickly, if not specifically rotated, especially on server machines and instances. you may consider using logstash, splunk (if you can afford it) or greylog2 for archiving and analysis of said log-files. forwarding may be done via systemd or any syslog daemon.

enabling compress by default in /etc/logrotate.conf is a pretty good idea on production systems, too.

  • use journalctl(1) to inspect the current buffer (systemd journal)
  • use zless(1) to view compressed log-files in /var/log
  • sudo journalctl -xa -o verbose will query all available details in the systemd journal

an alternative with clear advantages in multi-machine/instance and cluster environments is using rsyslog for all log-files or systemd's journaling capability (which supports import and export as well as networked journaling). similarly; tools like fluentd can be useful depending on the environment and further post-processing and archiving.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment