In the last post we talked about logging using journal in Arch Linux.

What I didn’t mention was that the Raspberry Pi also has another logging system called syslog.

If you use journal then you can disable syslog, but for this post I want to go through the files that are generated by syslog.

All the logs are stored in the directory /var/log/. If you list all the files in that directory, you’ll see lots. The filename prefix relates to a different part of the system i.e. kernel gives you the logs from the kernel, user gives you the logs for the users, etc.

The filename postfix is either

  • .log – the location of the current logs
  • .log.1 – a store of the previous log
  • .log.2 – a store of the previous, previous log

And so on.

So to find a recent message, look in the .log file. If the messages that you’re trying to find are much older and not in the .log file, then look in the .log.1, .log.2, etc files.

The process that decides when to move the logs to aprevious log file (.log.1, etc) is logrotate. This process is run daily (see /etc/cron.daily/logrotate if you’re interested).

The configuration file for log rotate is stored at /etc/logrotate.conf

Here is part of my /etc/logrotate.conf

# see "man logrotate" for details

# rotate log files weekly

# keep 4 weeks worth of backlogs
rotate 4

# restrict maximum size of log files
#size 20M

# create new (empty) log files after rotating old ones

# uncomment this if you want your log files compressed

As you can see from this file, the log file will be rotated weekly i.e. .log.1 will be copied to .log.2, .log will be copied to .log.1, etc. And it will rotate a log 4 times, therefore, keeping 4 weeks’ worth of logs.

I found that the log files were getting too big, since I was putting a lot of debug messages in the log. So I changed weekly to daily and rotate 4 to rotate 7. This meant that I would use a new log file every day and 7 days’ worth of logging would be kept. I’ll probably move back to the original settings when I’ve stopped debugging.

Also, since I rarely go back to previous log files, I want to compress them. This is achieved by uncommenting the #compress line (removing the #) in the config above. The previous logs will now be compressed and I’ll have to uncompress them if I want to read them.