What determines when logs get rotated?

I need to write a script to parse /private/var/log/secure.log and create a report consisting of the time and userid of each login. But secure.log gets archived periodically, and then the archives get deleted, so I need to time the execution of this script to whatever it is that triggers this archiving so I can record the logins before the log gets rotated.
Looking at the logs and archives, it's a little hard to tell what's going on.
% ls -l /private/var/log/secure.*
-rw-r----- 1 root admin 8153 Jul 24 21:37 /private/var/log/secure.log
-rw-r----- 1 root admin 2232 Jul 21 23:16 /private/var/log/secure.log.0.gz
-rw-r----- 1 root admin 2196 Jul 7 08:21 /private/var/log/secure.log.1.gz
-rw------- 1 root admin 6275 Jun 29 22:29 /private/var/log/secure.log.2.gz
The time intervals are not the same, and neither are the file sizes, so the logs don't appear to get rotated on a regular schedule or when they reach a certain size. It does seem to happen between logins, I think.
/private/etc/periodic/daily/100.clean-logs looks like it deletes old logs, but it isn't involved in archiving or deleting archived logs. /private/etc/periodic/daily/500.daily has a routine for archiving logs, but I don't understand it well enough to see what triggers it.

I've written the script for doing user accounting on the Panther machines, but I'm still having trouble understanding what's going on on my own machine. I'm not positive, but I think there might be some serious problems with launchd and how it manages logs. Something is definitely not right.
According to the documentation Mark referred me to,
Beginning in Mac OS X v10.4, the preferred way to add a timed job is to use a launchd(8) timed job. A launchd timed job is similar to a cron(8) job, with two key differences:
* Each launchd job is described by a separate file. This means that you can add launchd timed jobs by simply adding or removing a file.
* If the computer is asleep at the designated time, a launchd job executes as soon as the computer wakes. This is similar to the behavior of anacron and other cron replacements).
From what I'm seeing, this simply isn't happening. Look at the listing I posted above:
% ls -l /private/var/log/secure.*
-rw-r----- 1 root admin 8153 Jul 24 21:37 /private/var/log/secure.log
-rw-r----- 1 root admin 2232 Jul 21 23:16 /private/var/log/secure.log.0.gz
-rw-r----- 1 root admin 2196 Jul 7 08:21 /private/var/log/secure.log.1.gz
-rw------- 1 root admin 6275 Jun 29 22:29 /private/var/log/secure.log.2.gz
This log is rotated by the script /private/etc/periodic/weekly/500.weekly, but it clearly isn't being rotated weekly. The dates the three archives were created fall on a Friday and two Saturdays, and there is a two week gap between 0 and 1. I am positive that my laptop was not asleep for a week or more. I use it every day. I noticed that the permissions on secure.log.2.gz are wrong, but I don't think that's the cause of the problem. It's just another sign of the hinkiness that abounds here.
The situation looks even stranger when you look at the dates of the first and last entries in each file:
secure.log.2: Jun 19 22:34:51 - Jun 29 22:29:19
secure.log.1: Jun 30 20:15:36 - Jul 7 08:20:33
secure.log.0: Jul 7 11:33:01 - Jul 21 23:16:07
secure.log: Jul 22 15:35:03 - Jul 27 22:43:46 (and counting)
So it looks secure.log.0 and secure.log.2 were truncated and archived around midnight--different days of the week, but at least they avoided getting entries from the same date in two different files. But look at secure.log.1. 8:21 in the morning??? Why???? It's not like it was asleep or anything. I had been using it until around 12:30, and started in again at around 6:30 Saturday morning. Why does it decide it's time to rotate the log at 8:21? And this is after it has already waited two weeks!
So if you're doing user accounting on a weekly basis, this just isn't helpful, and it sure isn't helpful if you're trying to do it monthly. You basically need to re-concatenate the files and split them out by grepping the dates. In other words, before you can do what you need to do, you have to undo what the periodic maintenance routines have done.
And you have to hope they haven't destroyed the records you need.
Among all the other mysteries I'm trying to sort out, I'm trying to understand why the /private/etc/periodic/monthly/500.monthly script didn't run at the end of June. One thing I can't do is go back and look at the system.log, because they rotate them daily (or they intend to, but this doesn't work correctly either) and only keep the last seven. Here's what the log rotation script looks like:
for i in system.log; do
if \[ -f "${i}" \]; then
printf %s " ${i}"
if \[ -x /usr/bin/gzip \]; then gzext=".gz"; else gzext=""; fi
if \[ -f "${i}.6${gzext}" \]; then mv -f "${i}.6${gzext}" "${i}.7${gzext}"; fi
if \[ -f "${i}.5${gzext}" \]; then mv -f "${i}.5${gzext}" "${i}.6${gzext}"; fi
if \[ -f "${i}.4${gzext}" \]; then mv -f "${i}.4${gzext}" "${i}.5${gzext}"; fi
if \[ -f "${i}.3${gzext}" \]; then mv -f "${i}.3${gzext}" "${i}.4${gzext}"; fi
if \[ -f "${i}.2${gzext}" \]; then mv -f "${i}.2${gzext}" "${i}.3${gzext}"; fi
if \[ -f "${i}.1${gzext}" \]; then mv -f "${i}.1${gzext}" "${i}.2${gzext}"; fi
if \[ -f "${i}.0${gzext}" \]; then mv -f "${i}.0${gzext}" "${i}.1${gzext}"; fi
if \[ -f "${i}" \]; then
touch "${i}.$$" && chmod 640 "${i}.$$" && chown root:admin "${i}.$$"
mv -f "${i}" "${i}.0" && mv "${i}.$$" "${i}" && if \[ -x /usr/bin/gzip \]; then
gzip -9 "${i}.0"; fi
fi
fi
done
That last part is just plain weird. They get done rotating all the gzipped archives, and then they need to test to see if there is a new log file, and if not, create one, then archive it. Archive an empty log??? What for? Don't you want to see if there's a current log, and that it has at least one line of data in it, before you start the whole process? Why bother rotating logs if there's no new information? And then, after they archive it, they don't create a new log? All of the other log rotation scripts archive the current log then create a new one. Why should this one be different? This just looks like a mistake.
Also, I'm not the most experienced shell scripter, but isn't this just plain crude and ugly? Instead of using a loop to do a repetetive task, with a variable you can change to set a limit on the number of iterations, they've hard-coded each step. And this is in the script that we're not supposed to change, and it can't be overridden. Nice.
So if we want to change how frequently our log files get trashed, we need to write a daily.local script that takes the truncated, archived files and decompresses them, concatenates them, and puts them somewhere out of harms way? Is that how we're supposed to proceed? Follow them around and undo what they do then try to do it right? Heaping more ugliness upon ugliness?
And keep in mind that the timing mechanism that controls it all is broken, and if you want to do your monthly reports at the end of the month, or your weekly reports at the end of the week, you either have to wait around until this byzantine Rube Goldberg machine spits out the logs you need or go to the terminal and call periodic to run whatever process you want it to run manually after all.
I am starting to wish I'd never looked at this.

Similar Messages

  • What happens when you get Error 1905??

    ERROR 1905 MODULE C:/PROGRAM FILES/ITUNES/ITUNESMINIPLAYER.DLL
    FAILURE TO UNREGISTER
    HRESULT-2147200472
    CONTACT YOUR SUPPORT PERSONNEL
    Okay...so what do I do? After this it goes to "stopping services", but says it is unable to do that. Then when I open I-tunes it says that the part of the program where the computer connects to the ipod was not installed correctly. this is soooo frustrating. my brother's had an ipod shuffle for about 2 years so itunes was already installed. i was just trying to update it so my ipod video could be read.
    iPod with Video   Windows XP  

    Sorry no but here is some info anyway,
    We increased MaxPermSize from 192 to 512
    We also increased min and max JVM Heap size to 768 and 2048 respectively.
    Since then I think we have not experienced this problem more than once.
    We also have one server with the default parameters and it seems to work fine.
    I believe that size, and number of simultaneous request/responses have an impact  on this.
    We will now install the latest updates and after that decide whether to start logging jvm activities or not.
    Best regards
    Lennart
    Från: Neo Rye [email protected]
    Skickat: den 28 november 2012 06:44
    Till: Lennart Risfelt
    Ämne: what happens when you  get a "PermGen space null" error?
    Re: what happens when you get a "PermGen space null" error?
    created by Neo Rye<http://forums.adobe.com/people/Neo+Rye> in ColdFusion - View the full discussion<http://forums.adobe.com/message/4879436#4879436

  • What happens when you  get a "PermGen space null" error?

    We have resently installd CF 10 64 bit om three new windows 2008 R2 servers.
    One of them keeps generating an error "PermGen Space null" when processing CF script files.
    There is nothing special about the scripts resulting in error
    we have tried to increse Maxpermsize from 192m to 768m but that had no effect.
    the other two servers seems to bee doing fine.
    Any ideas what to do?

    Sorry no but here is some info anyway,
    We increased MaxPermSize from 192 to 512
    We also increased min and max JVM Heap size to 768 and 2048 respectively.
    Since then I think we have not experienced this problem more than once.
    We also have one server with the default parameters and it seems to work fine.
    I believe that size, and number of simultaneous request/responses have an impact  on this.
    We will now install the latest updates and after that decide whether to start logging jvm activities or not.
    Best regards
    Lennart
    Från: Neo Rye [email protected]
    Skickat: den 28 november 2012 06:44
    Till: Lennart Risfelt
    Ämne: what happens when you  get a "PermGen space null" error?
    Re: what happens when you get a "PermGen space null" error?
    created by Neo Rye<http://forums.adobe.com/people/Neo+Rye> in ColdFusion - View the full discussion<http://forums.adobe.com/message/4879436#4879436

  • I am due to upgrade my iPhone 3 to iPhone 5. I have icloud which co-ordinates my phone and mac what happens when I get a new phone - I dont want to lose all my contacts, notes, addresses etc. Do I have to disconnect icloud and how? What happens?

    I am due to upgrade my iphone 3 to iphone 5.  I have icloud which is co-ordinating my iphone 3 and Mac Pro updating each other.  What happens when I get a new phone - I dont want to lose all my addresses, notes etc.  What is the procedure and step by step action?  The new phone arrives - then what?

    When I upgraded from the iPhone 3GS to iPhone 5, I simply did a Backup of my phone using iTunes, plugged in the new iPhone 5 into my Mac, and did a Restore of that backup to put everything back. This procedure is documented around the web. Also, the new phone will ask you for your Apple ID and when you enter it, all your iCloud info will be downloaded to the phone. It worked pretty well for me.

  • TS3694 What happens when I get the error code 3194? Is my ipod "dead"?

    What happens when I get the error code 3194? Is my ipod "dead"?

    Make sure you are using current iTunes on your computer. Click the iTunes Tab at the top of this page. Or try to Restore your iPhone with a different computer.

  • What determines when the My Timesheet item will display in the Resource Availability Page?

    Can someone point me to where I can get more information on the My Timesheet item that displays in the Details section of the Resource Availability page?  I cannot figure out where this information is coming from or what determines how many My Timesheet
    lines you see.
    In one Project Server environment, I noticed that each user had 3-4 My Timesheet line items in the Resource Availability page.  The period I was looking at spanned 8 weeks and all of those weeks were in the future.  I checked the Manage Timesheets
    page for one of the users that had 4 My Timesheet items in the Resource Availability page.  The user did not have any timesheets created for the 8-week period I was reporting on in the Resource Availability page.  To make matters more confusing,
    some resources only had 3 My Timesheet line items in the Resource Availability page for the same period.  So it seems like something other than active timesheets for the period is dictating how many My Timesheet lines display.  Also curious was the
    fact that ALL of the My Timesheet items for all users in the Resource Availability page (7 or 8 people) showed "0h" for all of the periods displayed.
    I decided to look into this further in a separate Project Server environment, because I didn't have access to the first one at the time.  Both environments were configured to not use single entry mode and used resource plans to calculate allocation.
     In this second environment, I entered hours against an administrative task classified as non-working time for one week and submitted / approved this sheet.  I entered hours against a project task for a second week and submitted / approved this sheet.
     I then used the Resource Availability page and "reported" on a period including those periods (20-week period total).  I didn't see a single My Timesheet item.  Not even any showing the "0h" designation I had seen in the first environment.
    So long story short, I cannot figure out the criteria that dictates when a My Timesheet item displays.  And I also can't figure out the purpose.  If the Resource Availability page is designed to show planned work (either through the planned allocations
    stored in resource plans or planned assignments through project schedules), what is the point of the My Timesheet values?  Wouldn't planned work be captured in the project line items?  If it's for administrative, non-working time only, why would
    the My Timesheet items not show up in the second environment scenario?  Any help / insight would be appreciated.

    Hi,
    After investing a lot of time i found one link which is talking about My Timesheet in resource availability page.
    I believe link providing proper explanation though i would like to test it on my system. 
    http://social.technet.microsoft.com/Forums/en-US/projectserver2010general/thread/83e46a4d-3c05-4dda-8566-669b12b673f4
    kirtesh

  • What happens when i get new ram

    what does ram actually do?
    i know all about the sizes and stuff like that but what does it do?
    when i get new ram will i loose anything on my notebook?

    Steven,
    System RAM will allow you to run more programs at once without slowing down. It will allow some more complex programs run more smoothly. The more RAM you have, the less the computer will hit the hard drive.
    You will not lose anything on your computer by changing RAM. RAM automatically loses all its contents everytime you start up anyways. Your MacBook stores data on the hard drive-it only stores data in RAM temporarily while you are using your computer.

  • What determines when a battery is bad?

    I also am having a similiar situation where the battery shuts down early, or drops from 50% to 0% in minutes. I believe the problem is with the battery. Other symptoms include extremely slow opening of programs or the forever spinning "multicolored wheel". I performed a PMU reset and it didn't help. Previous posts always has you checking them but don't explain what they mean or how low they can go before you should replace the battery. My ibook G4 is almost 2 years old and the system profiler gives me these numbers. Also - I see problems can arise from not getting a good replacement battery. Does anyone have any recommendations on where to purchase a good one?
    Full charge Cap mAh 751
    Remaining Cap mAh 751
    cycle count 343
    voltage (mV) 16664

    There may be more than one thing behind this issue;
    but the battery numbers you've posted would indicate
    the battery is not up to par in capacity or remaining
    life. The power number should be in thousands mAH;
    and the cycle count is getting high.
    Does your Battery specs from System Profiler area
    say anything about battery status other than those?
    I have a free widget in Dashboard called iStat Pro
    and that says a few more things about battery and
    other system specs.
    The System Preference's Energy panel should have
    some information and settings to help ration power;
    but your posted battery numbers indicate a problem.
    Does the power adapter show as charging the cell?
    This would appear in the system panel, not just in
    the lights on the battery or in the gauge. And, have
    you performed the maintenance including calibration?
    A machine seeing a good amount of battery use
    could reasonably need a replacement battery after
    two years; but the cycle count could be higher be-
    fore an actual failure; I've seen over 450 cycles.
    Places such as OWC and NewerTech batteries
    may be worth a look; some of the better options
    offer an external battery charger with conditioner
    cycle for their cells, and a longer life cycle. I like
    the Apple original replacement, it does OK.
    Another issue in the computer may be due to lack
    of free space in the hard disk drive; that would be
    something to do with the spinning wheel and slow
    activity when running applications & in the System.
    The hard disk drive needs unused free space for
    Virtual Memory; this supplements chip RAM in
    most everything in Mac OS X, the system & apps.
    And if the hard disk drive is getting worn out, that
    too would show in performance and failure issues.
    One of the posts about percentages of battery loss
    in short duration intervals, where I replied, has links
    to the various procedures and prescribed methods
    of battery maintenance. There are other sections in
    Support where system maintenance & repair appear.
    If these areas are also acting poorly, you may need
    to see if all the basics are covered, including the oft
    repeated concept of 'repair disk permissions' et al.
    Good luck & happy computing!

  • Duration of PageFlow - What determines when a user is done?

    Hi All,
    I am having a problem where data that I store in the pageFlow scope is being destroyed before the user is done using the flow.
    There is a reference to the lifetime of the flow here:
    http://e-docs.bea.com/workshop/docs81/doc/en/workshop/guide/netui/guide/conDatabindingXScript.html?skipReload=true
    It says:
    “data is maintained separately for each user for the duration of the page flow.”
    My question: What defines the duration of the page flow?
    Thanks in advance for any help or pointers to documentation,
    Chris

    Answering my own question:
    From http://dev2dev.bea.com/products/wlworkshop81/articles/wlw_internals.jsp
    The lifetime of a JPF depends on the actions taken
    in the page flow. In general, a page flow is
    instantiated when it is first requested (either the JPF
    or one of its JSPs/actions) and is released when the user exits the page flow. The user exists the page flow
    if there is a request for another page flow (or a
    JSP/action in another page flow). The current page flow is also released when the HTTP session expires. Message was edited by cope360 at Jan 13, 2005 4:07 PM

  • What happens when iPhone gets restored?

    My iPhone will only go on the apple logo when plugged into the charger. I googled what I need to do and it's saying I need to restore my phone, but I don't want to loose all my pictures. Is there any way I can save my pictures?

    Hey paola7,
    There are a few things you can do to try and resolve the issue from the first article. If the iPhone is listed in iTunes you can backup by following the 3rd article.
    iPhone: Hardware troubleshooting
    http://support.apple.com/kb/ts2802
    Will not turn on, will not turn on unless connected to power, or unexpected power off
    Verify that the Sleep/Wake button functions. If it does not function, inspect it for signs of damage. If the button is damaged or is not functioning when pressed, seek service.
    Check if a Liquid Contact Indicator (LCI) is activated or there are signs of corrosion. Learn about LCIsand corrosion.
    Connect the iPhone to the iPhone's USB power adapter and let it charge for at least ten minutes.
    After at least 30 minutes, if:
    The home screen appears: The iPhone should be working. Update to the latest version of iOS if necessary. Continue charging it until it is completely charged and you see this battery icon in the upper-right corner of the screen . Then unplug the phone from power. If it immediately turns off, seek service.
    The low-battery image appears, even after the phone has charged for at least 20 minutes: See "iPhone displays the low-battery image and is unresponsive" symptom in this article.
    Something other than the Home screen or Low Battery image appears, continue with this article for further troubleshooting steps.
    If the iPhone did not turn on, reset it while connected to the iPhone USB power adapter.
    If the display turns on, go to step 4.
    If the display remains black, go to next step.
    Connect the iPhone to a computer and open iTunes. If iTunes recognizes the iPhone and indicates that it is in recovery mode, attempt to restore the iPhone. If the iPhone doesn't appear in iTunes or if you have difficulties in restoring the iPhone, see this article for further assistance.
    If restoring the iPhone resolved the issue, go to step 4. If restoring the iPhone did not solve the issue, seek service.
    Use iTunes to restore your iOS device to factory settings
    http://support.apple.com/kb/HT1414
    iOS: Back up and restore your iOS device with iCloud or iTunes
    http://support.apple.com/kb/HT1766
    Back up
    To back up the content on your iOS device, follow these steps:
    Make sure your computer has the latest version of iTunes.
    Connect your iOS device to your computer.
    Choose File > Devices > Back up.
    Thanks for using Apple Support Communities.
    Have a nice day,
    Mario

  • What happens when i get a suspected malware site warning

    Got a message when looking through images of things on google when I looked up a picture a suspected malware site warning poped up.  Should I be concerned or do anything about it.  I dont know if theres a disk clean up or not for macs.

    https://discussions.apple.com/message/12630513#12630513

  • What happens when I get a new computer?

    Got a new computer.  Apple software shows up as still being loaded on computer but I cannot sync the Ipod to the computer.  Tried deleting the software and starting over but I can't remember how I originally set it up since its been over two years now.  Was hoping I would just plug the Ipod into the computer and it would show up with step by step to do...but nothing.  Help?  Anyone know how to start over?  Everything is still on my Ipod.  Just need to get it synced to computer.

    Syncing to a "New" Computer or replacing a "crashed" Hard Drive: Apple Support Communities

  • Non-proctored test - what happens if internet gets disconnected?

    Hi,
    I am thinking of giving Oracle SQL Certification (1Z0-051) online as the test center is too far from my residence. Moreover, the internet on a given day gets disconnected for 2-5 seconds and then comes back again (sometimes requires a modem restart).
    Just wondering, what happens when internet get disconnected while giving the test. Can I resume my test or has $125 gone down the drain?
    Thanks for your help.
    VJ.

    From the Certification Help Center (Global FAQs)
    If I am taking a non-proctored exam what happens if I lose connection?
    If you lose connectivity during your non-proctored exam, go back to www.pearsonvue.com/oracle and click on "Schedule a Test." You will be asked to sign in again, and then be redirected back to your exam where you left off.
    Regards,
    Brandye Barrington
    Certification Forum Moderator

  • What happens when a new cc version is available

    I am currently building a case as to why my employer should more to Adobe CC, however they have a few questions:
    1. When a new version of CC is available is it automatically downloaded and installed, or is there a choice to not upgrade?
    2. What happen when features get dropped in the new CC upgrades? for example TLF text in Flash is not supported in CC, so those working files would not longer be compatible.
    Thanks in advance for your reply

    1. There is a notification for update, and you have a choice to update or not to update.
    2. Usually new major versions are installed as separate apps, so you can get the new version and keep the old one for working with files that may not be compatible with the new version. Or if you need only the new version, you can uninstall the old one. For example when 2014 version Photoshop CC was released and if you chose to update, the update process left the old version installed.

  • Get message "You have requested an encrypted page that contains some unencrypted info that can be ready by 3rd party, etc." when logging into AOL. What is this?

    Message occurs when logging into AOL. Lock at bottom of page has a red line through it. I'll close out and attempt to sign-in again. Sometimes it is cleared and sometimes I get the message again.

    I would not trust that on a banking site. If it were just a forum, no problem, but anything unencrypted during banking is suspicious.

Maybe you are looking for