Rotation of mail.log

tkforbes · October 30, 2018, 5:30pm

Hi,

It seems that mail.log in /var/log/ is not managed by logrotate. I don’t know how it is managed. More confusing is this:

# list in reverse time order...
root@mail:/var/log# ls -rtlh mail.log*
-rw-r----- 1 syslog adm 1.5M Oct 13 11:04 mail.log.4.gz
-rw-r----- 1 syslog adm 519K Oct 21 06:52 mail.log.2.gz
-rw-r----- 1 syslog adm 1.2M Oct 21 06:54 mail.log.3.gz
-rw-r----- 1 syslog adm  16M Oct 30 13:22 mail.log.1
-rw-r----- 1 syslog adm 587K Oct 30 13:22 mail.log

# examine the timestamps at the head and tail of log files...
root@mail:/var/log# tail -1 mail.log.1
Oct 30 13:22:03 imap(tow@rvss.ca): Info: Disconnected: Logged out in=71 out=827
root@mail:/var/log# head -1 mail.log
Oct 29 06:31:54 mail postfix/anvil[20182]: statistics: max connection rate 1/60s for (smtp:185.36.81.21) at Oct 29 06:28:34
root@mail:/var/log# tail -1 mail.log
Oct 30 13:22:50 mail postfix/smtpd[13671]: disconnect from unknown[185.36.81.21]

I have no issue with the content, only the timestamps. The above shows that mail.log is currently being written to (as I expect), but why is the first line of mail.log older than the last line of mail.log.1 ?

paradoxbound · October 31, 2018, 8:26am

The logging for Postfix is managed by Rsyslogd. Logrotate manages the Rsyslog created files using this file “/etc/logrotate.d/rsyslog”. If you take peek you can see the entries for mail.log and others.

I am not sure of the exact reason for the out of order items but I would suggest the following could be a cause. Firstly if you are not aware Postfix is not a monolithic process and daemon but a cluster of processes and daemons that perform the tasks required of an SMTP service asynchronously.

These out of order items could be messages buffered by rsyslogd during the logrotate process. The logrotate process triggers a rsyslogd “reload” event which is much safer than using “copytruncate” and is recommended by the Rsyslogd team.

tkforbes · October 31, 2018, 8:48pm

Thanks for the explanation. I now know that this is a general issue and not specific to miab. And I have to remember to consider adjacent log archives when diagnosing problems.