Home / server / Questions / 959320
Accepted
x-yuri
Asked: 2019-03-22 06:14:57 +0800 CST

Missing log rotations

  • 772

One of my servers ran out of space recently. So I started looking into it. The nginx logs took half of the partition. Also, I noticed a strange thing. For a lot of sites (60%) extra rotations where present (example.com-access.log.53.gz when rotate 52). And most of the biggest ones—but not all—had only two rotations:

example.com-access.log
example.com-access.log.53.gz

50% of the logs had only those two rotations. Sometimes there were just holes in the rotations (30%): one file or more. *.log.1 was often missing (25%). Sometimes there were both *.log.1 and *.log.1.gz (2 out of 172).

Can you explain this missing/duplicate rotations? *.log + *.log.53.gz case makes me think that at some point it was unable to rotate *.log.1 to *.log.2.gz. But wouldn't it stop after unsuccessful gzip? Then there must be no holes. Or at least there must be *.log.1 present if it wouldn't, mustn't there?

I'm running Debian server if anything.

/etc/logrotate.conf:

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
    missingok
    monthly
    create 0664 root utmp
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0660 root utmp
    rotate 1
}

# system-specific logs may be configured here

/etc/logrotate.d/nginx:

/var/log/nginx/*.log {
    weekly
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    create 0640 www-data adm
    size 50M
    sharedscripts
    prerotate
        if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
            run-parts /etc/logrotate.d/httpd-prerotate; \
        fi \
    endscript
    postrotate
        [ -s /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid`
    endscript
}

/etc/logrotate.d/httpd-prerotate doesn't exist.

linux

1 Answers

  1. Best Answer

    tl;dr Duplicates might be produced if compression (gzip) was interrupted. One such duplicate (if sharedscripts) makes it eventually leave only one gzipped rotation (#rotate + 1).

    Here's a simplified version of what's going on under the hood (logset is an entry /path/to/dir/*.log {...} in the config):

    for (let logSet of logSets) {
    rotateLogSet(logSet);
}

function rotateLogSet(logSet) {
    const logHasErrors = [];
    let hasErrors = false;
    for (let i = 0; i < logSet.files().length; i++) {
        findNeedRotating(log, i);
    }
    const jn = logSet['sharedscripts']
        ? 1
        : logSet.files().length;
    for (let j = 0; j < jn; j++) {
        const in = logSet['sharedscripts'] ? logSet.files().length : j + 1;
        for (let i = j; i < in; i++) {
            logHasErrors[i] ||= ! prerotateSingleLog(logSet, i);
            hasErrors ||= logHasErrors[i];
        }
        if (logSet['prerotate']
            && ( ! (
                logSet['sharedscripts'] ? hasErrors : logHasErrors[j]
            ))
        ) {
            if ( ! runScriptMultiple(logSet['prerotate']))
                logHasErrors[j] = hasErrors = true;
        }
        for (let i = j; i < in; i++) {
            if ( ! (
                logSet['sharedscripts'] ? hasErrors : logHasErrors[i]
            ))
                logHasErrors[i] ||= ! rotateSingleLog(logSet, i);
                hasErrors ||= logHasErrors[i];
        }
        if (logSet['postrotate']
            && ( ! (
                logSet['sharedscripts'] ? hasErrors : logHasErrors[j]
            ))
        ) {
            if ( ! runScriptMultiple(logSet['postrotate']))
                logHasErrors[j] = hasErrors = true;
        }
        for (let i = j; i < in; i++) {
            if ( ! (
                logSet['sharedscripts'] ? hasErrors : logHasErrors[i]
            ))
                logHasErrors[i] ||= ! postrotateSingleLog(logSet, i);
                hasErrors ||= logHasErrors[i];
        }
    }
}

function findNeedRotating(logSet, i) {
    const log = logSet.files()[i];
    if ( ! stat(log))
        return logSet['missingok'] && errno == ENOENT;
    log.doRotate = ...;
    return ...;
}

function prerotateSingleLog(logSet, i) {
    let hasErrors = false;
    const log = logSet.files()[i];
    if ( ! log.doRotate)
        return;
    if (stat(log))
        hasErrors = compressLogFile(log);
    for (let i = logSet['rotate']; i >= 0 && ! hasErrors; i--) {
        if ( ! rename(`${log}.${i}.gz`, `${log}.${i + 1}.gz`))
            if (errno != ENOENT)
                hasErrors = true;
    }
    return ! hasErrors;
}

function rotateSingleLog(logSet, i) {
    let hasErrors = false;
    const log = logSet.files()[i];
    if ( ! log.doRotate)
        return;
    if ( ! rename(log, `${log}.1`))
        hasErrors = true;
    if ( ! hasErrors && logSet['create'])
        if ( ! createOutputFile(log))
            hasErrors = true;
    return ! hasErrors;
}

function postrotateSingleLog(logSet, i) {
    const log = logSet.files()[i];
    if ( ! log.doRotate)
        return;
    rm(`${log}.${logSet['rotate'] + 1}.gz`);
}

    So, with sharedscripts normally an error, that occurs while handling a log file belonging to a logset, stops processing of the whole logset. Without it processing of just one log file is stopped.

    But nonexistent gzipped rotation or 1st rotation of a log file doesn't count as an error. As doesn't the case when log file itself doesn't exist if missingok (doesn't matter in case of a pattern). Also an error during prerotateSingleLog() phase with sharedscripts doesn't break the loop.

    Do note, I made a lot of simplifications while compiling the code above. Consult the original when in doubt.

    With this, the only cases I can see where there might be missing or extra files is when logrotate is interrupted. That might explain rotate + 1 rotations (gzipped rotations were renamed but the last one hasn't been removed). Also, when gzip is interrupted, it leaves the target file behind. That explains having both *.log.1 and *.log.1.gz rotations. Still no explanation for the holes in the rotations.

    UPD It appears duplicates (*.log.1 + *.log.1.gz) produce an error:

    error: error creating output file /var/log/nginx/example.com-access.log.1.gz: File exists

    That stops processing after prerotateSingleLog() phase. At that point all gzipped rotations were renamed. But renaming *.log -> *.log.1 and removing *.log.${rotate + 1}.gz are skipped. *.log grow bigger and bigger, and eventually you run out of space.

    That explains everything but missing *.log.1 rotations. But probably is as good as it gets.

    So, beware of errors in log rotation. You can identify the issue by spotting "error:" line in logrotate (even non-verbose) output.

    As a bonus, a script that displays contents of a log dir in a nice way (natural sort, with sizes):

    #!/usr/bin/env bash
set -eu
for l in /var/log/nginx/*.log; do
    du -bs "$l"* \
        | sed -E 's/(.*\.([0-9]+)(\.gz)?)$/\2 \1/; t a; s/^/0 /; :a' \
        | sort -nk1 \
        | awk '{sub(/.*\//, "", $3); printf("%12s %s\n", $2, $3)}'
done

    And another that let's you check if you've got the issues I ran into:

    #!/usr/bin/env bash
set -eu

dir=/var/log/nginx

i=0
n_0_53=0
n_53=0
n_holes=0
n_missing_1=0
for f in `ls "$dir"/*.log`; do
    f=`basename -- "$f"`
    echo -- $f
    rotations=$(ls "$dir/$f"* \
        | sed -E 's/(.*\.([0-9]+)(\.gz)?)$/\2 \1/; t a; s/^/0 /; :a' \
        | sort -nk1 \
        | awk '{print $1}')

    duplicates=$(echo "$rotations" | uniq -c | awk '$1 != 1 {print $2}')
    if [ "$duplicates" ]; then
        echo duplicates: $duplicates
    fi

    if [ "$rotations" = $'0\n53' ]; then
        echo 0, 53
        (( n_0_53 += 1))
    else
        missing=
        last=$(echo "$rotations" | tail -n 1)
        for (( j = 0; j <= $last; j++ )); do
            if ! [[ "$rotations" =~ (^|$'\n')"$j"($'\n'|$) ]]; then
                missing="$missing $j"
            fi
        done
        if [ "$missing" ]; then
            echo missing: $missing
            (( n_holes += 1 ))
        fi
        if [ "$missing" = ' 1' ]; then
            (( n_missing_1 += 1 ))
        fi
    fi
    if [[ "$rotations" =~ (^|$'\n')53($'\n'|$) ]]; then
        (( n_53 += 1 ))
    fi
    (( i += 1 ))
done
printf 'n_0_53: %s %s\n' "$n_0_53" "$(echo "$n_0_53 * 100 / $i" | bc)"
printf 'n_53: %s %s\n' "$n_53" "$(echo "$n_53* 100  / $i" | bc)"
printf 'n_holes: %s %s\n' "$n_holes" "$(echo "$n_holes * 100 / $i" | bc)"
printf 'n_missing_1: %s %s\n' "$n_missing_1" "$(echo "$n_missing_1 * 100 / $i" | bc)"
printf 'total: %s\n' "$i"
    • 1