Make logrotate check a file several times per day and warn in case of too many rotations

Logrotate is a splendid tool in *nix to handle logfiles etc. At times there is a need to have it check a file more than on a daily basis; eg if you are troubleshooting an application that seems to create massive log files etc. This instruction is based on the Microsoft SCCM client for linux, but it can of course be modified to suit other files.
This script relies on the availability of sendmail to email a warning when the set threshold has been reached. It can of course be modified to suit other ways to send warnings.

First create a separate configuration file for the /var/opt/microsoft/scxcm.log file under /etc/logrotate.d/sccm, or edit the /etc/logrotate.conf directly. I will base this guide on option nr1.

Paste the following into /etc/logrotate.d/sccm:

 compress

/var/opt/microsoft/scxcm.log {  
 rotate 7  
 size=100k  
 daily  
 start 0  
 postrotate  
 echo `/bin/date +%F` >> /var/log/logrot_sccm.txt  
 endscript  
 }  

Explanation of the config file:
/var/opt/microsoft/scxcm.log – Specifies which file logrotate should be checking. Several files can be applied in a row.
rotate 7 – How many times the file(s) can be rotated before it overwrite the previous version.
size=100k – If the file exceeds this size, it will be rotated.
daily – how often the file should be checked (this is logrotate’s option, we are later specifying that it should run more often than that).
start 0 – Gives the rotated files an index to easier spot the version of the file. Eg logfile.0.gz, log file.1.gz (note that it is a zero).
postrotate – This line tells logrotate that the coming line(s) are scripts that are to be executed if a rotation is made.
echo /bin/date +%F >> /var/log/logrot_sccm.txt – Echos todays date to the file /var/log/logrot_sccm.txt
endscript – Tells logrotate that the script is done.

Paste the following into /root/scripts/check_rotations.sh (or any other name/place of your liking):

 #!/bin/bash

#Script that checks how many times logrotate have rotated a file.  
 #Note: Is dependant of a log file created by logrotate!

#Variables  
 LOGROTATEFILE=/var/log/logrot_sccm.txt  
 MSLOGFILE=/var/opt/microsoft/scxcm.log  
 ROTATIONS=0  
 MAILTO=ENTER EMAIL ADDRESS HERE  
 SENDMAILFILE=/var/log/info.mail

#The script n stuff  
 #Check if the $SENDMAIL file exists, if not create it  
 if [ ! -f $SENDMAILFILE ]  
 then  
 /bin/echo "Subject: WARNING: logrotate have done more than 5 rotations of file $MSLOGFILE on `hostname`!" >> $SENDMAILFILE  
 /bin/echo "Please check the number of rotated files and their size on host `hostname`" >> $SENDMAILFILE  
 /bin/echo -e "n The file(s) are located at $MSLOGFILE" >> $SENDMAILFILE  
 /bin/echo " " >> $SENDMAILFILE  
 fi

/bin/cat $LOGROTATEFILE | while read line;  
 do  
 if [ $line = `/bin/date +%F` ]  
 then  
 ROTATIONS=$((ROTATIONS+1))  
 if [ $ROTATIONS -gt 4 ]  
 then  
 /usr/sbin/sendmail -v $MAILTO < $SENDMAILFILE >> /dev/null  
 exit 0  
 fi;  
 fi  
 done

And add the following to your crontab:

 0,30 * * * * /usr/sbin/logrotate /etc/logrotate.d/sccm  
 0,35 * * * * /root/scripts/check_rotations.sh  

Explanation of the entries:
0,30 * * * * /usr/sbin/logrotate /etc/logrotate.d/sccm – Tells logrotate to run every 30 minutes and use the specified configuration file.
0,35 * * * * /root/scripts/check_rotations.sh – Runs the check_rotations.sh script every 35 minutes to check the log file created by logrotate.

The script checks to see the file /var/log/info.mail exists, if not it creates it and fills it with the message to be sent in case a file has been rotated too many times.
The script do a line by line check of the log file that logrotate crates (see above), and compares the date with today’s date. If the dates are the same, a variable (ROTATIONS) is increased. And when it reaches 5 it sends a warning by email.

//Drakfot

Mastodon