Hi there,
could anyone help me configure log rotation?
I don’t have the graylog-ctl scripts for some reason so if it’s a part of that package then maybe I’m SOL.
Anyways,
I checked the server.conf and made some changes to the indexing but as far as I understand that’s for the purpose of being able to quickly search through the logs later. I also tried to configure logrotate, but when I couldn’t find where the old logs were being moved to I asked online & was told it’s because Graylog has its own rotation that it uses. I’ve seen the /etc/graylog/server/log4j2.xml file, but it isn’t immediately obvious to me how to configure it for log rotation.
Which doesn’t seem to break anything, but I don’t know where the rotated logs end up. I can see that my journal file gets rotated (I usually check the file size every day and sometimes it’s shrunk drastically). Any thoughts?
Edit:
My graylog messages are stored in /var/lib/graylog-server/journal/messagejournal-0/000*.log
the journal is not the logfile - never touch anything that is inside the journal folder. The journal is the internal buffer of Graylog that is used when Graylog is not able to ingest messages to elasticsearch.
The logfiles are by default in /var/log/graylog-server/server.log (might be different depending how you install, the link to the docs and default files above!)
Ah, so since it’s the buffer that would explain the… shrinkage.
In that case, does the log4j config look correct to you?
Edit:
I’m pretty confused now. I have the server.log file, but it seems to just be internal messages from the server and not the messages received - it also hasn’t been appended in over a week despite me receiving a few hundred thousand syslog messages since then. I know the Journal file changes in real time, but if it’s just a buffer does that mean messages are not being saved anywhere? For reference…
Message journal files
/var/lib/graylog-server/journal
Log Files
/var/log/graylog-server/
Are both correct, but the former is a buffer and the latter seems to be internal messages only…does graylog require additional configuration to keep messages?
Sorry Jan. I found what I was looking for. It was in/var/log/upstart/graylog-server and I can see that in this directory there are compressed log versions indicating that they are being rotated. Thank for your patience.
The “server.log” seems like a plaintext record of ingested messages.
ubuntu@osshonisyslog1s:/var/log/upstart$ ls -anh | grep graylog
-rw-r----- 1 0 0 21M Aug 16 13:19 graylog-server.log
-rw-r----- 1 0 0 4.2M Aug 16 06:25 graylog-server.log.1.gz
-rw-r----- 1 0 0 4.7M Aug 15 06:25 graylog-server.log.2.gz
-rw-r----- 1 0 0 4.9M Aug 14 06:25 graylog-server.log.3.gz
-rw-r----- 1 0 0 3.8M Aug 13 06:25 graylog-server.log.4.gz
-rw-r----- 1 0 0 3.0M Aug 12 06:24 graylog-server.log.5.gz
-rw-r----- 1 0 0 2.4M Aug 11 06:25 graylog-server.log.6.gz
-rw-r----- 1 0 0 2.8M Aug 10 06:25 graylog-server.log.7.gz
Judging by the modify time, the “graylog-server.log” (uncompressed) file is being updated in real time. In all of the documentation I’ve look at and the questions I’ve asked this directory has never come up. Is it meant to be here? I quite like it, as I can uncompress the logs from another day to read them if I need to.
Thanks for the reply, Jan.
I checked again this morning and these same plaintext logs have been rotated again.
I installed on Trusty Tahr. The contents of the log file looks like:
