zeldor.biz

Linux, programming and more

Copyright © 2025
Log in

Remove logs older than X days

July 12, 2011 by Igor Drobot Leave a Comment

The simplest way to remove files older than $NUMBER of days..

Dry run (files will be NOT deleted, you will see a list with files older than 100 days)

1
find -mtime +100 | less

find -mtime +100 | less

Another dry run, see what would be delete:

1
2
3
find -mtime +600 | xargs echo rm
rm /var/log/squid3/access.log.0
rm /var/log/squid3/access.log.2

find -mtime +600 | xargs echo rm rm /var/log/squid3/access.log.0 rm /var/log/squid3/access.log.2

Finally if you decided to remove the files – the final command to delete them:

1
find -mtime +600 | xargs rm

find -mtime +600 | xargs rm

Filed Under: Bash, Linux Tagged With: bash, find, Logs, rm, xargs

Configure logcheck

August 2, 2010 by Igor Drobot Leave a Comment

Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail.

Installation

1
apt-get install logcheck

apt-get install logcheck

E-Mail recipients will be configured in “/etc/aliases”.

Logcheck config is in “/etc/logcheck/logcheck.conf”, depending on setting of:

1
2
3
4
INTRO=1
REPORTLEVEL="server"
SENDMAILTO="logcheck"
ADDTAG="yes"

INTRO=1 REPORTLEVEL="server" SENDMAILTO="logcheck" ADDTAG="yes"

Some different rules from the following directories are used:

1
2
3
4
5
6
7
8
9
/etc/logcheck/*
cracking.d
cracking.ignore.d
ignore.d
ignore.d.paranoid
ignore.d.server
ignore.d.workstation
violations.d
violations.ignore.d

/etc/logcheck/* cracking.d cracking.ignore.d ignore.d ignore.d.paranoid ignore.d.server ignore.d.workstation violations.d violations.ignore.d

Define your ignore rules
When you are using server reporting level, put your local-rules file in “/etc/logcheck/ignore.d.server/local-rules”

Sample content of “/etc/logcheck/ignore.d.server/local-rules”:

1
2
3
4
5
6
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: success resolving
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: connection refused resolving
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: DISCONNECTED
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGOUT

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: success resolving ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: connection refused resolving ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: DISCONNECTED ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGOUT

For testing of your rules you can use:

1
egrep -f /etc/logcheck/ignore.d.server/local-rules /var/log/syslog

egrep -f /etc/logcheck/ignore.d.server/local-rules /var/log/syslog

That will show only messages that will be suppressed and will NOT be mailed to you.

By the way a manual logcheck-run can be started too, and you must not wait until the next cron:

1
su -s /bin/bash -c "/usr/sbin/logcheck" logcheck

su -s /bin/bash -c "/usr/sbin/logcheck" logcheck

Filed Under: Linux Tagged With: Logcheck, Logs

Yeaaah Cookie! We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok