I have a script that periodically checks /var/log/system.log and I've noticed across our network that some machines keep logfiles for a month through reboots and other activities, while some purge the file each night or each reboot.
Does anyone know the exact rules here, or if I can specify intervals? Thanks in advance.
On OS X, /var/log/system.log is rotated by the
newsyslog
command, which is run at half-past each hour (see /System/Library/LaunchDaemons/com.apple.newsyslog.plist) whenever the Mac is running and awake. The rotation rules are in /etc/newsyslog.conf, from which the relevant lines are:If I understand this right (see the newsyslog.conf man page), the "@T00" in the "when" field means that the log will be rotated if newsyslog runs between midnight and 1am -- i.e. at the 12:30am run. But if the Mac is off or asleep at 12:30, this run won't happen and the log won't get rotated that day, which is probably why you see such variable results.
If you want to change the rotation criteria, feel free to edit /etc/newsyslog.conf; most of the other logs get rotated based on size, and I'm not sure why system.log is different.
UPDATE: Starting in 10.9, the rotation control for system.log moved from /etc/newsyslog.conf to /etc/asl.conf (the config for the Apple System Log facility, which does the writing to system.log). It'll have a section like this:
The "rotate=seq compress file_max=5M all_max=50M" section controls archiving and retention. See man asl.conf for more info and options.
The logging system got a pretty thorough rewrite in 10.12, but this doesn't appear to have changed.