修改LOG配置文件

Limit the size of the current syslog

To limit the size of /var/log/syslog , you have to edit the /etc/rsyslog.d/50-default.conf , and set a fixed log size.

Add or modify this setting, by changing the following line in /etc/rsyslog.d/50-default.conf :

.*;auth,authpriv.none       -/var/log/syslog

Here an excerpt of rsyslog manual :

Output channels are defined via an $outchannel directive. It’s syntax is as follows:

$outchannel name,file-name,max-size,action-on-max-size

name is the name of the output channel (not the file), file-name is the file name to be written to, max-size the maximum allowed size and action-on-max-size a command to be issued when the max size is reached. This command always has exactly one parameter. The binary is that part of action-on-max-size before the first space, its parameter is everything behind that space. Please note that max-size is queried BEFORE writing the log message to the file. So be sure to set this limit reasonably low so that any message might fit. For the current release, setting it 1k lower than you expected is helpful. The max-size must always be specified in bytes - there are no special symbols (like 1k, 1m,…) at this point of development. Keep in mind that $outchannel just defines a channel with “name”. It does not activate it. To do so, you must use a selector line (see below). That selector line includes the channel name plus an $ sign in front of it. A sample might be: . :omfile:$mychannel In its current form, output channels primarily provide the ability to size-limit an output file. To do so, specify a maximum size. When this size is reached, rsyslogd will execute the action-on-max-size command and then reopen the file and retry. The command should be something like a log rotation script or a similar thing.

If there is no action-on-max-size command or the command did not resolve the situation, the file is closed and never reopened by rsyslogd (except, of course, by huping it). This logic was integrated when we first experienced severe issues with files larger 2gb, which could lead to rsyslogd dumping core. In such cases, it is more appropriate to stop writing to a single file. Meanwhile, rsyslogd has been fixed to support files larger 2gb, but obviously only on file systems and operating system versions that do so. So it can still make sense to enforce a 2gb file size limit.

Here the max-size is 1MB, place this line before the *.*; ... line

$outchannel mysyslog,/var/log/syslog,1048576

and change the *.*; ... line into

*.*;auth,authpriv.none  :omfile:$mysyslog

Restart rsyslogd ether with

sudo systemctl restart  rsyslog.service
sudo service rsyslog restart

To look at the rsyslog status type

systemctl status rsyslog.service  
原文链接:https://askubuntu.com/questions/184949/how-do-i-limit-the-size-of-my-syslog 最近在使用rsyslog进行日志的集中管理,需要限制服务器的日志文件大小,让它在达到一定大小后自动rotate。发现outchannel能实现这种需求,遂查阅rsyslog rotation官方文档(也可执行$man rsyslog.conf查看本地手册中的OUTPUT CHANNELS部分,通常这种方法更有参考价值),依葫芦画瓢做了以下配置: ----------------------- systemd journal之于`systemd`犹如`syslog`之于`init`,其日志文件保存在` /var/log/journal `目录下。随着时间的流逝,该目录下会积累大量日志文件,占用不少的磁盘空间。如果硬盘容量较小或可用空间紧张,可以考虑清理过期日志释放占用的空间。... 众所周知,ubuntu日志文件会越来越大,需要定期管理logrotate是个十分有用的工具,它可以自动对日志进行截断(或轮循)、压缩以及删除旧的日志文件。例如,你可以设置logrotate,让/var/log/foo日志文件每30天轮循,并删除超过6个月的日志。配置完后,logrotate的运作完全自动化,不必进行任何进一步的人为干预。另外,旧日志也可以通过电子邮件发送,不过该选项超出了本教程的讨 这个命令会停止rsyslog服务和syslog.socket。在某些情况下,仅仅停止rsyslog服务是不够的,因为syslog.socket可能会重新启动它。所以,你需要同时停止这两个服务。这个命令会阻止rsyslog服务和syslog.socket在系统启动时自动启动。请注意,这将只会临时停止rsyslog服务。请注意,这些操作可能需要root权限。如果你没有root权限,你可能需要在命令前加上。 一、/var目录 /var 所有服务的登录的文件或错误信息文件(LOG FILES)都在/var/log下,此外,一些数据库如MySQL则在/var/lib下,还有,用户未读的邮件的默认存放地点为/var/spool/mail 二、:/var/log/ 系统的引导日志:/var/log/boot.log例如:Feb 26 10:40:48 sendmial : sendmail startu... Rsyslog的全称是 rocket-fast system for log ,可用于接受来自各种来源的输入,转换 它们,并将结果输出到不同的目的地。 它提供了高性能、强大的安全功能和模块化设计。虽然rsyslog最初是一个常规的系 统日志,但它已经发展成为一种瑞士军刀式的日志记录,当应用有限处理时, RSYSLOG每秒可以向本地目的地发送超过一百万条消息。即使使用远程目的地和更 精细的处理,性能通常被认为是“惊人的”。