1

I have just set up a fairly extensive logging and logrotation operation on a system, to hopefully eliminate or at least minimize the risks of out-of-space errors (possible vulnerabilities?).

However, I have not been able to find a definite answer to this question in the manpages for the logrotate service

How does the logrotate service determine the timestamp of the last logrotation for its daily,weekly or monthly option?

The excerpt from man logrotate goes as follows:

weekly [weekday]
              Log  files  are  rotated  once  each  weekday, or if the date is advanced by at least 7 days since the last rotation
              (while ignoring the exact time).  The weekday interpretation is following:  0 means Sunday, 1 means Monday,  ...,  6
              means  Saturday; the special value 7 means each 7 days, irrespectively of weekday.  Defaults to 0 if the weekday ar‐
              gument is omitted.

Is the time of the last rotation simply checked constantly (using a cronjob) by looking at the last modification timestamp of the previous rotated log file ?

If so, if a user manages to somehow 'fool' the system and force it to de-synchronize its system time (often it is fairly easy to do, because it being a very rare attack vector it is rarely properly guarded ) , consequently having logrotate create rotated logs with a future timestamp, will that essentially disable logrotate frequency-based rotation?

For reference: The system in question - because of tumblerd (whether it was because of the system's configuration, or an actual vulnerability I cannot say) , which is a type of a thumbnail manager from what I understand - was constantly adding entries in syslog, user.log and messages logs, reaching up to 100GB each before the system failure (first space-wise, followed by memory leaks and CPU load spikes ). Not only was this a problem in itself but it also made reading these 3 log files impossible, and the only solution I could think of on the spot was echo "" > [filename] to clear them.

Improve this question

1 Answer 1

Reset to default
0

Since logrotate is FOSS, you could just dowload the source and read it. On Ubuntu, the packaging system says:

walt@bat:~(0)$ apt-cache show logrotate
Package: logrotate
Architecture: amd64
Version: 3.8.7-2ubuntu2.16.04.2
Priority: important
Section: admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Paul Martin <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 113
Depends: libacl1 (>= 2.2.51-8), libc6 (>= 2.14), libpopt0 (>= 1.14), libselinux1 (>= 1.32), cron | anacron | cron-daemon, base-passwd (>= 2.0.3.4)
Suggests: mailx
Breaks: postgresql-common (<= 126)
Filename: pool/main/l/logrotate/logrotate_3.8.7-2ubuntu2.16.04.2_amd64.deb
Size: 37660
MD5sum: ae3cf957775ac5c9e72604ac80b71e24
SHA1: 78687a0db41fad8b25b9aaa0f9e9e01739cb6136
SHA256: 4089998610e24a849d0286f1a657a714e7f3fe249f82eef3896778054ea1753e
Homepage: https://fedorahosted.org/logrotate/
Description-en: Log rotation utility
 The logrotate utility is designed to simplify the administration of
 log files on a system which generates a lot of log files.  Logrotate
 allows for the automatic rotation compression, removal and mailing of
 log files.  Logrotate can be set to handle a log file daily, weekly,
 monthly or when the log file gets to a certain size.  Normally, logrotate
 runs as a daily cron job.
Description-md5: bb73169bb75b2b8a2fda1453d214416d
Task: minimal
Supported: 5y

Package: logrotate
Priority: important
Section: admin
Installed-Size: 113
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Paul Martin <[email protected]>
Architecture: amd64
Version: 3.8.7-2ubuntu2
Depends: libacl1 (>= 2.2.51-8), libc6 (>= 2.14), libpopt0 (>= 1.14), libselinux1 (>= 1.32), cron | anacron | cron-daemon, base-passwd (>= 2.0.3.4)
Suggests: mailx
Breaks: postgresql-common (<= 126)
Filename: pool/main/l/logrotate/logrotate_3.8.7-2ubuntu2_amd64.deb
Size: 37642
MD5sum: 858f35a2a3eec8dc07e9896f8a905981
SHA1: 18802ca05d004b4d70aa400920668f71af98b47e
SHA256: bc370a2003b18b1761adceed2fdf575122117cbf17edc6de377d64dc01623d6e
Description-en: Log rotation utility
 The logrotate utility is designed to simplify the administration of
Since `logrotate` is FOSS, you could just dowload the source and read it. On Ubuntu.  log files on a system which generates a lot of log files.  Logrotate
 allows for the automatic rotation compression, removal and mailing of
 log files.  Logrotate can be set to handle a log file daily, weekly,
 monthly or when the log file gets to a certain size.  Normally, logrotate
 runs as a daily cron job.
Description-md5: bb73169bb75b2b8a2fda1453d214416d
Homepage: https://fedorahosted.org/logrotate/
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Supported: 5y
Task: minimal

Homepage: https://fedorahosted.org/logrotate/ is a good starting place.

A good logrotate technique is to force the logging entity to close the current logfile and open a new one. This can be done through signals, or by (stopping the server;renaming the log file;starting the server).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.