OpenBSD manual page server

Manual Page Search Parameters
NEWSYSLOG(8) System Manager's Manual NEWSYSLOG(8)

newsyslog, newsyslog.confrotate log files

newsyslog [-Fmnrv] [-a directory] [-f config_file] [log ...]

The newsyslog utility rotates log files when they exceed a configurable size or age. The log file is renamed to log.0 and an empty file is created in its place. An archive of older logs may be kept: in order of increasing age, these files are named log.1, log.2, and so on. When their number exceeds a given limit, the oldest is removed. The archived logs may also be compressed.

The options are as follows:

directory
Specify a directory into which archived log files will be written. If directory is a relative path, it is appended to the parent directory of each log and the archived log is stored in the result. If an absolute path is given, all archived logs are stored in the given directory. If directory does not exist for a specified log, it is ignored for that entry and the log is rotated as if the -a option was not specified.
Force newsyslog to trim logs regardless of the size and/or age requirements specified in /etc/newsyslog.conf. This option may be combined with the -n or -v flags to aid in debugging problems with /etc/newsyslog.conf.
config_file
Use config_file instead of /etc/newsyslog.conf for the configuration file.
Monitoring mode; only entries marked with an ‘M’ in flags are processed. For each log file being monitored, any log output since the last time newsyslog was run with the -m flag is mailed to the user listed in the monitor notification section.
Do not trim the logs, but instead print out what would be done if this option were not specified.
Removes the restriction that newsyslog must be running as root. Note that in this mode newsyslog will not be able to send a SIGHUP signal to syslogd(8).
Place newsyslog in verbose mode. In this mode it will print out each log and its reasons for either trimming that log or skipping it.

In the default system configuration, newsyslog is run by cron(8), but it may also be run manually. If one or more log files are specified on the command line, only the specified files are rotated. Note that each log specified must have an entry in /etc/newsyslog.conf.

A log can be archived because of two reasons: The log file can have grown bigger than a preset size in kilobytes, or a preset number of hours may have elapsed since the last log archive. The granularity of newsyslog is dependent on how often it is scheduled to run in cron(8). Since the program is quite fast, it may be scheduled to run every hour without any ill effects.

When starting up, newsyslog reads in a configuration file to determine which logs should be looked at. By default, this configuration file is /etc/newsyslog.conf. Each line of the file contains information about a particular log file that should be handled by newsyslog. Each line has five mandatory fields and up to three optional fields, with whitespace separating each field. Blank lines or lines beginning with a hash mark (‘#’) are ignored. The fields of the configuration file are as follows:

logfile_name
The full pathname of the system log file to be archived.
owner:group
This optional field specifies the owner and group for the archive file. The ‘:’ is essential, even if the owner or group field is left blank. The fields may be numeric, or a name which is looked up in the system password and group databases. For backwards compatibility, a ‘.’ may be used instead of a ‘:’. If either owner or group is not specified, the owner and/or group of the existing log file is used.
mode
File mode (in octal) to use for created log files and archives.
count
The number of archives to be kept besides the log file itself.
size
When the size of the log file (in kilobytes) reaches this point, the log file is trimmed as described above. If this field is replaced by an ‘*’, or set to ‘0’, then the size of the log file is not taken into account when determining when to trim the log file. By default, files smaller than 256 bytes are not rotated unless the ‘B’ (binary) flag is set or the -F option is specified. This prevents newsyslog from rotating files consisting solely of a message indicating that the log file has been turned over.
when
The when field can consist of an interval, a specific time, or both. If the when field consists of an asterisk (‘*’), log rotation will depend only on the contents of the size field. Otherwise, the when field consists of an optional interval in hours, possibly followed by an ‘@’-sign and a time in a restricted ISO 8601 format or by a ‘$’-sign and a time specification for logfile rotation at a fixed time once per day, per week or per month.

If a time is specified, the log file will only be trimmed if newsyslog is run within one hour of the specified time. If an interval is specified, the log file will be trimmed if that many hours have passed since the last rotation. When both a time and an interval are specified, both conditions must be satisfied for the rotation to take place.

There is no provision for the specification of a time zone. There is little point in specifying an explicit minutes or seconds component in the current implementation, since the only comparison is ‘within the hour’.

The lead-in character for a restricted ISO 8601 time is an ‘@’-sign. The particular format of the time in restricted ISO 8601 is: [[[[[cc]yy]mm]dd][T[HH[MM[SS]]]]]. Optional date fields default to the appropriate component of the current date; optional time fields default to midnight. For example, if today is January 22, 1999, the following date specifications are all equivalent:

  • 19990122T000000
  • 990122T000000
  • 0122T000000
  • 22T000000
  • T000000
  • T0000
  • T00
  • 22T
  • T

The lead-in character for day, week and month specification is a dollar sign ($). The particular format of day, week and month specification is: [DHH], [Ww[DHH]], and [Mdd[DHH]], respectively. Optional time fields default to midnight. The ranges for day and hour specifications are:

HH
hours, range 0 ... 23
w
day of week, range 0 ... 6, 0 = Sunday
dd
day of month, range 1 ... 31, or the letter or to specify the last day of the month.

rotate every night at midnight (same as @T00)
rotate every day at 23:00 hr (same as @T23)
rotate every week on Sunday at 23:00 hr
rotate every week on Friday at 16:00 hr
rotate on the first day of every month at midnight (i.e., the start of the day; same as @01T00)
rotate on every 5th day of the month at 6:00 hr (same as @05T06)
flags
The optional flags field specifies if the archives should have any special processing done to the archived log files. The ‘Z’ flag will make the archive files compressed to save space using gzip(1) or compress(1), depending on compilation options. The ‘B’ flag means that the file is a binary file, and so the ASCII message which newsyslog inserts to indicate the fact that the logs have been turned over should not be included. The ‘M’ flag marks this entry as a monitored log file. The ‘F’ flag specifies that symbolic links should be followed.
monitor
Specify the username (or email address) that should receive notification messages if this is a monitored log file. Notification messages are sent as email; the operator deserves what they get if they mark the mail log file as monitored. This field is only valid when the ‘M’ flag is set.
pid_file
This optional field specifies a file containing the PID of a process to send a signal (usually SIGHUP) to instead of /var/run/syslog.pid.
signal
Specify the signal to send to the process instead of SIGHUP. Signal names must start with “SIG” and be the signal name, not the number, e.g., SIGUSR1.
command
This optional field specifies a command to run instead of sending a signal to the process. The command must be enclosed in double quotes (‘"’). The empty string, ‘""’, can be used to prevent newsyslog from sending a signal or running a command. You cannot specify both a command and a PID file. If you specify a command to be run, newsyslog will not send a SIGHUP to syslogd(8).

/etc/newsyslog.conf
default configuration file

The newsyslog utility exits 0 on success, and >0 if an error occurs.

compress(1), gzip(1), syslog(3), syslogd(8)

Theodore Ts'o, MIT Project Athena
Copyright 1987, Massachusetts Institute of Technology

July 20, 2017 OpenBSD-6.8