Logrotate interval for security log at /var/log/secure

Support for security such as Firewalls and securing linux
Post Reply
pstromberg
Posts: 1
Joined: 2022/01/29 01:22:33

Logrotate interval for security log at /var/log/secure

Post by pstromberg » 2022/01/29 02:11:19

On CentOS 8, the default logrotate interval is 1 week, and this also applies to the security log at /var/log/secure. The logrotate configuration for the security log can be found in /etc/logrotate.d/syslog and looks as follows

Code: Select all

/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
      missingok
      sharedscripts
      postrotate
          /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
      endscript
}
How can I change the logrotate interval for the security log from 1 week to 1 month? I assume I have to remove the line /var/log/secure from the syslog file and create a new configuration file named e.g. seclog in /etc/logrotate.d with the following content:

Code: Select all

/var/log/secure
{
      monthly
      missingok
      sharedscripts
      postrotate
          /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
      endscript
}
Is there a way to test whether this configuration works correctly? Another question: How can I restart logrotate so that the new configuration becomes active?

Thanks in advance!

Pernilla

User avatar
Errosion
Posts: 43
Joined: 2014/12/03 19:58:02

Re: Logrotate interval for security log at /var/log/secure

Post by Errosion » 2022/04/05 18:53:48

The first part of that is correct. You would remove /var/log/secure from the first file and create a second file that handles the rotation the way you want it.

As for testing it, you can use the "--debug" or "-d" option with logrotate which will run through all of the details but not actually rotate the files.
Also use the -v option as well and you'll get even more details on what logrotate would do and whether it's reading the new config file properly.

You should see in that output that logrotate is reading that file, if there are any errors with it and what logrotate would do with the files, if it were to do anything with then.

Logrotate usually runs something like this command: /usr/sbin/logrotate /etc/logrotate.conf

So then you'd run "/usr/sbin/logrotate -d -v /etc/logrotate.conf"

You don't need to do anything to read in the new file. logrotate will read the new files at run time.

Post Reply