8

I cannot figure out where /var/log/auth.log is rotated.

I found the file /var/log/auth.log.2013-09-16 on my system, which contains log entries previously found in /var/log/auth.log. Where does that file come from?

I added the -d -D '%Y-%m-%d' options to the savelog call in /etc/cron.daily/sysklog and the options dateext and dateformat .%Y-%m-%d to /etc/logrotate.conf, but I do not know why this should affect how auth.log is rotated.

Places that I have investigated:

  • $ grep auth /etc/logrotate.d/* produces no match
  • $ grep auth /etc/logrotate.conf produces no match

  • /etc/cron.daily/sysklog has the following to say about rotation:

    for LOG in $(syslogd-listfiles)
do
   if [ -s $LOG ]; then
      savelog -g adm -m 640 -u ${USER} -c 7 -d -D '%Y-%m-%d' $LOG \
        > /dev/null
   fi
done

    but $ syslogd-listfiles only lists /var/log/syslog as candidate for rotation.

  • Other calls to savelog in /etc and its subdirectories rotate history files in registered CVS directories, /var/log/boot and aptitude.pkgstates.

  • $ crontab -l lists some entries for scripts in /opt/psa/libexec/modules/watchdog/cp/ (I assume they come from Plesk Panels). However, I don't think they are responsible, because the files in question used to be named with a numeric extension until I added the -d -D '%Y-%m-%d' options to the savelog call in /etc/cron.daily/sysklog and the options dateext and dateformat .%Y-%m-%d to /etc/logrotate.conf.

Oswald
  • 181
  • 1
  • 1
  • 4

2 Answers2

10

At least on my Ubuntu 13.04 installation (physical machine, desktop edition), auth.log is rotated by logrotate as defined in /etc/logrotate.d/rsyslog. This is correctly found by grep auth /etc/logrotate.d/*. The rotated files get named as usual auth.log, auth.log.1, auth.log.2.gz and so forth. This is, as far as I can tell, the default way of handling the auth log. Maybe you're using a customized version of Ubuntu.

Henning Kockerbeck
  • 7,829
  • 1
  • 29
  • 35
  • I am using Ubuntu 12.04 with Plesk Panels (see edited question). I added `-d -D '%Y-%m-%d'` to the `savelog` call in `/etc/cron.daily/sysklog` and the options `dateext` and `dateformat .%Y-%m-%d` to `/etc/logrotate.conf`. This would explain the different file name, if `auth.log` where actually affected by those changes. I don't know why `auth.log` should be affected, though. – Oswald Sep 16 '13 at 10:45
  • Is it a physical machine or some kind of virtual machine, container or similar? I've quickly checked some of our servers: The "physical" servers take care of auth.log with logrotate, similar to what described about my desktop machine above. On servers installed as containers on a ProxmoxVE cluster, I can't find any reference to rotating auth.log in all of /etc, and they're still rotated. I'd *assume* the virtual host is doing the deed, maybe in your case it's something similar. – Henning Kockerbeck Sep 16 '13 at 11:04
  • It's a VPS based on Virtuozzo. My hosting provider has assured me that the host system does not rotate my log files. – Oswald Sep 19 '13 at 10:12
  • I'm not familiar with Virtuozzo, but according to [this knowledge base entry](http://kb.parallels.com/en/116474) there's another set of `logrotate` config files under `/usr/local/psa/etc/logrotate.d`. Not sure whether the entry refers to the Parallels product your provider is using, or whether this a Virtuozzo or a Plesk thing, but I'd deem it worth a look. – Henning Kockerbeck Sep 19 '13 at 10:17
  • No hints as to how `auth.log` is rotated in that directory, either. However, I found `/etc/logrotate.d/rsyslog` rotating `auth.log` in a fresh installation of Ubuntu 12.04 on my laptop. This leads me to believe that indeed Virtuozzo is responsible and I will investigate further along this path. – Oswald Sep 19 '13 at 10:28
0

I'm also using 12.04 on Virtuozzo. I think the container setup uses the older mechanism from sysklogd for rotating (i.e. sysklogd in /etc/cron.daily), so:

$ syslogd-listfiles
/var/log/syslog

but,

$ syslogd-listfiles --weekly
/var/log/user.log
/var/log/daemon.log
/var/log/messages
/var/log/debug
/var/log/auth.log
/var/log/mail.log
/var/log/kern.log
/var/log/lpr.log

So I think that's correct. (Note: I've dumped the split mail.* logging which double logs everything to mail.info and mail.log)

However, I noticed that my VM was missing the /etc/cron.weekly/sysklogd job so had to add it manually.

The other thing you might fall foul of is syslogd-listfiles has some extra checks to exclude very small log files from rotation. So if nothing's being logged, they won't be rotated.

Mike
  • 108
  • 1
  • 1
  • 10