Taming Log Noise with syslog and logrotate on a Small Linux Server

Introduction to Log Management

I’ve seen log management become a major headache on Linux systems, especially when log files start growing out of control. This can lead to disk space issues and make it tough to find the information you need when debugging or troubleshooting. To tame this log noise, I usually start with syslog and logrotate on small Linux servers.

Understanding syslog

Syslog is the standard for message logging in Linux, allowing you to collect, store, and analyze log messages from various system components. It uses a facility-priority based system to categorize log messages - facilities like kern for kernel messages, user for user-level messages, and mail for mail system messages, among others. Priorities range from emerg (emergency) to debug.

To get syslog working the way you want, you’ll need to edit the /etc/syslog.conf file. For example, to log all kernel messages with priority info or higher to a file, you can add the following line:

kern.info /var/log/kernel.log

Don’t forget to restart the syslog service after making changes to the configuration file:

sudo systemctl restart syslog

This is where people usually get burned - forgetting to restart the service, that is.

Log Rotation with logrotate

Logrotate is a utility that automatically rotates log files, preventing them from growing indefinitely. You can configure it to rotate logs daily, weekly, or monthly, and to keep a specified number of old logs. The real trick is finding the right balance between log retention and disk space usage.

To configure logrotate, edit the /etc/logrotate.conf file. For instance, to rotate the system log file daily and keep 7 days of old logs, you can add the following lines:

/var/log/syslog {
    daily
    missingok
    notifempty
    delaycompress
    compress
    maxsize 100M
    maxage 7
    postrotate
        invoke-rc.d rsyslog reload > /dev/null
    endscript
}

This configuration will rotate the system log file daily, compress the old logs, and keep 7 days of old logs. In practice, you may need to tweak these settings based on your specific use case.

Security Considerations

When managing logs, security is a top concern. Logs can contain sensitive information, such as user credentials or encryption keys, so it’s crucial to handle them carefully. I’ve seen this go wrong when logs are not properly secured, leading to serious security breaches. To mitigate these risks, you can configure syslog to log sensitive information to a separate file, which can be encrypted or restricted to specific users.

Additionally, tools like Fail2Ban can monitor logs for suspicious activity and block malicious IP addresses. Don’t bother with complex security setups if you’re just starting out - Focus on getting the basics right first.

Troubleshooting Tips

When troubleshooting log-related issues, check the syslog configuration file and the logrotate configuration file for errors. The journalctl command is also handy for viewing system logs, and the logrotate command can test your log rotation configuration. For more information, refer to the Debian documentation and the logrotate man page.

See also

• Taming systemd-resolved: Tips for a Saner DNS Setup on Linux
• Taming Resource-Intensive Containers with Podman's CPU Limiting and cgroups
• Troubleshooting DNS Leaks on a Small Linux Server with systemd-resolved
• Taming Shared Directory Chaos with Setgid and Sticky Bits
• Taming Wild Directories: Mastering Setgid, Sticky Bits, and ACLs for Shared Storage