๐ง Linux LogRotate ๆฅ่ช่ชๅ่ผชๆฟ่ๆธ ็ๆๅญธ(ๅซ systemd / cron ๅฏฆไฝ)
็ถญ้็ฐๅขไธญ,ๆฅ่ช่ฅไธ่ฆๅ,็ฃ็ขๅฎนๆ่ขซๅกๆปฟ、ๅๆไน่ฎๅฐ้ฃ。LogRotate ๅฏ้ๅฐๅคงๅฐๆๆ้่ชๅๅๆช、ๅฃ็ธฎ่ๆธ
็,ไธฆๅจ่ผชๆฟๅพ้่ผๆๅ。ๆฌๆๆไพ ไธๆญฅไธๆญฅ ็ๅฏฆไฝ็ฏไพ,ไธฆ่งฃ้ systemd timer ่ cron.daily ๅ
ฉ็จฎๅๅๆนๅผ,ๆๅพ้ไธๅธธ่ฆ้ฏ่ชคๆๆฅๆธ
ๅฎ่ๅฎๅ
จๆไฝณๅฏฆๅ。
๐ ็ฎ้
- ไธ、ๆ ธๅฟๆฆๅฟต่ๆชๆกไฝๅฑ
- ไบ、ๅ
จๅ่จญๅฎ:
/etc/logrotate.conf - ไธ、ๆฏๆๅ้
็ฝฎ:
/etc/logrotate.d/็ฏไพ - ๅ、ๆ็จ่งธ็ผ:
systemd timervscron.daily - ไบ、้ฉ่ญ่ๆๅ่ผชๆฟ
- ๅ ญ、ๅธธ่ฆ้ฏ่ชค่ๆๆฅ
- ไธ、ๅฎๅ จ่ๆไฝณๅฏฆๅ(Hardening)
- ๅ ซ、ๅฏฆ็จ Recipes(ๅฏ็ดๆฅๅฅ็จ)
- ๐ ๅปถไผธ้ฑ่ฎ
ไธ、ๆ ธๅฟๆฆๅฟต่ๆชๆกไฝๅฑ
- ไธป่จญๅฎๆช:
/etc/logrotate.conf(ๆพๅ จๅ่ฆๅ่ include ๆไปค)。 - ๆๅๅๆช:
/etc/logrotate.d/*(ๅๆๅๅๅฏซไธไปฝ)。 - ้ไฝๆจกๅผ:ไพ ๆ้(daily/weekly/monthly) ๆ ๅคงๅฐ(size) ่ผชๆฟ;ๅฏ้ธๆ compress/delaycompress、rotate N、missingok、notifempty ็ญ。
- ่ผชๆฟๅพๅไฝ:
postrotate/endscriptๅ งๅผๅซsystemctl reloadๆkill -HUP่ฎๆๅ้่ผ。
ไบ、ๅ
จๅ่จญๅฎ:/etc/logrotate.conf
# /etc/logrotate.conf
# ๅ
จๅ้ ่จญ(ๅฏ่ขซ /etc/logrotate.d/* ่ฆๅฏซ)
weekly # ๆฏ้ฑ่ผชๆฟ
rotate 4 # ไฟ็ 4 ไปฝๆญทๅฒๆช
create # ๅปบ็ซๆฐๆช,ๆฒฟ็จ้ ่จญๆฌ้(ๅฏๆผๅๅฅๆชๆกๅผทๅ)
dateext # ไฝฟ็จๆฅๆไฝ็บๅฏๆชๅ
compress # ๅฃ็ธฎ่ๆช(ๆญ้
delaycompress ๆดๅฎๅ
จ)
include /etc/logrotate.d
# ้ๅฐ wtmp/btmp ็็คบไพ(็ณป็ตฑ็ปๅ
ฅ็ด้)
/var/log/wtmp {
monthly
rotate 12
create 0664 root utmp
missingok
}
/var/log/btmp {
monthly
rotate 12
create 0600 root utmp
missingok
}ไธ、ๆฏๆๅ้
็ฝฎ:/etc/logrotate.d/ ็ฏไพ
็ฏไพ A:Nginx ๅญๅ/้ฏ่ชคๆฅ่ช
# /etc/logrotate.d/nginx
/var/log/nginx/*.log {
weekly
rotate 8
size 50M
missingok
notifempty
compress
delaycompress
dateext
create 0640 www-data adm
sharedscripts
postrotate
# ไปฅ้่ผๆนๅผ่ฎ Nginx ้ๆฐๆ้ๆชๆกๅฅๆ
[ -s /run/nginx.pid ] && systemctl reload nginx.service
endscript
}็ฏไพ B:ๆ็จ็จๅผๅฎไธๆชๆก(ๆฏๆด copytruncate)
# /var/log/myapp/app.log ่ฅ็จๅผ็กๆณ HUP ้่ผ,ๅฏ็จ copytruncate
/var/log/myapp/app.log {
daily
rotate 14
size 10M
missingok
notifempty
compress
delaycompress
dateext
copytruncate # ๅ
่ค่ฃฝ่ๆชๅ truncate ๅๆช,้ฟๅ
้ๅๆๅ
}็ฏไพ C:ๅคๆช่ฆๅ + ๆฌ้ๅผทๅ
# /etc/logrotate.d/myapps
/var/log/myapps/*.log {
weekly
rotate 6
missingok
notifempty
compress
dateext
su root adm # ไปฅ logrotate ็ su ๆฉๅถ็ถญๆๆฌ้
create 0640 root adm
}ๅ、ๆ็จ่งธ็ผ:systemd timer vs cron.daily
ๅคงๅคๆธๆฐ็็ผ่ก็ๅทฒไฝฟ็จ logrotate.timer;่็ๅ็ฑ /etc/cron.daily/logrotate ่งธ็ผ。
# ✅ ๅปบ่ญฐ:ๅ็จ systemd timer(ๅ
ทๅฏ่งๅฏๆง、ๆ็ฎก็)
sudo systemctl enable --now logrotate.timer
systemctl status logrotate.timer
systemctl list-timers | grep logrotate
# ่ฅไฝฟ็จๅณ็ตฑ cron(ไพ็ผ่ก็้ ่จญ)
ls -l /etc/cron.daily/logrotate
sudo run-parts /etc/cron.daily # ็ซๅณ่งธ็ผๆฏๆฅๅทฅไฝ(ๆธฌ่ฉฆ็จ)ไฝ่ ๅชๅ ? ่ฅๅๆๅญๅจ,่ซๆไธ;้ฟๅ 「timer + cron」้้่งธ็ผๅฐ่ดไธฆ่ก่ผชๆฟ。
ไบ、้ฉ่ญ่ๆๅ่ผชๆฟ
# ไนพ่ท(ไธๅฏฆไฝ),ๆชขๆฅ่จญๅฎๆฏๅฆๆญฃ็ขบ
sudo logrotate -d /etc/logrotate.conf
# ๅผทๅถ่ผชๆฟ(ๆธฌ่ฉฆๅฏฆไฝ)
sudo logrotate -f /etc/logrotate.conf
# ่งๅฏ็ตๆ่ๅฃ็ธฎๆช
ls -lh /var/log/nginx/
ls -lh /var/log/myapp/ๅ ญ、ๅธธ่ฆ้ฏ่ชค่ๆๆฅ
- Permission denied/็กๆณๅปบ็ซๆฐๆช:็บ่ฆๅๅ ๅ
ฅ
create 0640 user groupๆไฝฟ็จsuๅญๅฅ。 - ่ผชๆฟๅพๆๅไปๅฏซๅ
ฅ่ๆช:ๅคๅๆฏๆๅๆช้่ผ;ๅจ
postrotateๅผๅซsystemctl reloadๆไฝฟ็จcopytruncate。 - ไธฆ่ก่ผชๆฟ่ก็ช:้ฟๅ
logrotate.timer่cron.dailyๅๆๅ็จ;้้ๅ ถไธ。 - ๅฃ็ธฎๆชๆชๅบ็พ:ๆชขๆฅๆฏๅฆ่จญไบ
delaycompress(ๅฃ็ธฎๆๅปถๅพๅฐไธไธๆฌก่ผชๆฟ)。 - ๅฎน้ๆชไธ้:่ผชๆฟๅพๆช้่ผ็ๆๅไปๆๆๆชๆกๆ่ฟฐ็ฌฆ;
lsof | grep deletedๅฏๆฅๅทฒๅชไฝ่ขซไฝ็จ็ๆชๆก。
ไธ、ๅฎๅ จ่ๆไฝณๅฏฆๅ(Hardening)
- ๆๅฐๅๆฌ้:้่ฆๆฅ่ชไฝฟ็จ
create 0600 root adm,้ฟๅ ไธ่ฌไฝฟ็จ่ ๅฏ่ฎ。 - ้ฟๅ
่ฆๅฏซ:ๅชๅ
ไฝฟ็จ
createๆcopytruncate,ไธ่ฆ็จๆๅ> fileๆนๅผๆธ ็ฉบ。 - ไฟ็้ฑๆไพๅ่ฆ:ไพๅ
งๆง/ๆณ่ฆ้ๆฑ่จญๅฎ
rotate N(ไพๅฆๅฎๅ จ็จฝๆ ธ่ฆๆฑไฟ็ 6–12 ๅๆ)。 - ่้ไธญๅๆญ้ :้้ตๆฅ่ชๅปบ่ญฐ่ผธๅบๅฐ้ไธญๅผ(rsyslog/Logstash),่ผชๆฟๅ ๅๆฌๆฉๆง้。
ๅ ซ、ๅฏฆ็จ Recipes(ๅฏ็ดๆฅๅฅ็จ)
R1:้ซๆต้็ถฒ็ซ็「ๆ้ + ๅคงๅฐ」้ๆขไปถ
/var/log/nginx/*.log {
daily
size 100M
rotate 14
missingok
compress
delaycompress
dateext
create 0640 www-data adm
sharedscripts
postrotate
systemctl reload nginx.service
endscript
}R2:journald ๆธ ็(้ ๅ LogRotate ็ๅฎน้ๆฒป็)
# ่จญๅฎ journald ๅฒๅญไธ้(/etc/systemd/journald.conf)
SystemMaxUse=2G
SystemMaxFileSize=200M
RuntimeMaxUse=512M
# ็ซๅณๆธ
็่ๆฅ่ช(ไฟ็ 14 ๅคฉๅ
ง)
sudo journalctl --vacuum-time=14d
# ๆไพๅฎน้ๆธ
็,ไฟ็ๆ่ฟ 1G
sudo journalctl --vacuum-size=1GR3:่ช่จไปปๅไปฅ timer ้ฑๆๆ้คๅคงๅๆซๅญๆช
# /etc/systemd/system/tmp-clean.service
[Unit]
Description=Scheduled temp cleanup
[Service]
Type=oneshot
ExecStart=/usr/bin/find /var/tmp -type f -mtime +7 -delete
# /etc/systemd/system/tmp-clean.timer
[Unit]
Description=Run temp cleanup daily
[Timer]
OnCalendar=daily
RandomizedDelaySec=120
Persistent=true
[Install]
WantedBy=timers.target
# ๅ็จ
sudo systemctl enable --now tmp-clean.timer
systemctl list-timers | grep tmp-clean๐ ๅปถไผธ้ฑ่ฎ
- Linux ้ไธญๅผๆฅ่ช rsyslog:้ไธญๆถ้่ๅๆ
- Proxy/GoAccess:ๆต้ๆฅ่ช่ฆ่ฆบๅๅๆ
- Firewall × Fail2Ban × systemd:ๆกๆ IP ้ฒ่ญท
- ่ชๅๅๆฅ่ช:GoAccess + Fail2Ban ้ฒ้
๐งญ ่กๅๆธ ๅฎ
✅ ๅ็จ logrotate.timer(ๆ็ขบ่ช cron.daily)ไธฆๆไธ ✅ ็บ Nginx / ๆ็จๆๅๅข่จญ /etc/logrotate.d/ ๅๅฅ่ฆๅ ✅ ไปฅ logrotate -d ่ -f ้ฉ่ญๆต็จ;ๆญ้ journalctl ่งๅฏ ✅ ๅฐๅฎๅ จๆง้ซ็ๆฅ่ชๆก create 0600 ่ su ๆฌ้ๆง็ฎก ✅ ๆญ้ rsyslog / GoAccess ๅ้ไธญๅ่ๅฏ่ฆๅ
— WWFandy・ไธป้ก็ญ่จ
ๆฒๆ็่จ:
ๅผต่ฒผ็่จ