Why does Debian use antiquated syslog rotation?

Overnight I got loads of “452 Insufficient system storage” errors from one of the mailservers I manage which led me on a little hunt for the problem and a delving into the mystical world of Debian log rotation.

To make a long story shorter it turns out that BIND was filling my /var/log/syslog and /var/log/daemon logs with “sysquery: no addrs found for root NS” entries to the tune of 100s a minute bloating my logs to the point they filled my /var partition completely grinding Postfix to a halt because the chroot jail it runs in is on the /var partition.

Obviously the first step was to fix the BIND error that was filling the logs. This is actually a pretty easy fix and simply involved re-creating the db.cache file which was out of date (probably thanks to the use of generally reliable upstream DNS servers). All it took to fix this was updating the file:

cd /etc/bind
dig @m.root-servers.net. ns . > db.cache.tmp
mv db.cache.tmp db.cache
/etc/init.d/bind reload

The next step was to free up some space on the /var partition. I could probably have just deleted the offending files but because they wouldn’t take up much space when compressed and I hate to screw up the log rotation process I decided to rotate them a few times myself. I could probably have done this manually but didn’t know how the log rotation process worked in Debian and was afraid of throwing it for a loop if I did this so I wanted to do it using the rotation tool itself.

As it turns out Debian ships with a highly configurable log rotation tool (it’s really great you can seletivly rotate based on all sorts of conditions) called logrotate which I believe can originally be attributed to coders at Red Hat. Unfortunatly the standard Debian setup does not actually use it for rotating the syslog file which is exactly what I needed to rotate.

After some digging it turns out Debian uses a kludged together script located at /etc/cron.daily/sysklogd for rotating the syslog. This isn’t the first time that someone has pointed out the sillyness of having such a script as this posting from 1999 I found clearly indicates it’s been a longstanding issue. Why the developers didn’t switch to using the logrotate program for the syslog when they started including it is beyond me. It seems that it would be easy enough to make the changeover unless I’m missing something in which case I would appreciate hearing the concern with doing this.

Of course others have pointed out that the standard syslog daemon leaves a lot to be desired so you could even read about how to change that out to something more configurable at the Debian-Administration site.

Comments are closed.