Rotating Logs
Rotating logs regularly can make them easier to find. The script below takes advantage of a Unix system utility called Logrotate. Logrotate automatically compresses and rotates log files.
Linux
The following instructions are for Linux.
Create the Log Rotation Script
- Make a new file,
touch /etc/logrotate.d/metasploit
. - Open the file and add the following code.
1#2# This list should be kept current with /opt/metasploit/apps/pro/ui/script/diagnostic_logs.rb3#4# Don't use regex, I know it's tempting. Support is very limited in5# logrotate and inconsistent across platforms.6#7/opt/metasploit/apps/pro/ui/log/reports.log /opt/metasploit/apps/pro/ui/log/exports.log8/opt/metasploit/apps/pro/ui/log/delayed_job.log /opt/metasploit/apps/pro/ui/log/production.log /opt/metasploit/apps/pro/ui/log/thin.log /opt/metasploit/apps/pro/engine/log/production.log /opt/metasploit/apps/pro/engine/prosvc_stderr.log9/opt/metasploit/apps/pro/engine/prosvc_stdout.log /opt/metasploit/apps/pro/engine/config/logs/framework.log /opt/metasploit/apps/pro/engine/config/logs/db.log {10# No complaints if the log file is missing11missingok12# Don't rotate empty files13notifempty14# Rotate when >= this size15size 1M16# Or at this frequency:17# daily18# Perms of rotated (old) file19create 0600 root root20# Only keep this many most recent rotated files21rotate 422# Delete rotated files older than this many days23maxage 100024# Copy the original log file and set size to 0 during rotation25# to avoid changing the file the service is writing to:26copytruncate27# gzip rotated file28compress29# Include date in rotated file name.30# If enabled this can only run once a day before overwrite!31# dateext32# Adjust format with dateformat. The default is -%Y%m%d33}
- Save the file.
As long as Logrotate is running, the default is daily on most Unix systems, , then this should:
- Rotate all specified logs that are present, not empty, and >= 1 MB in size.
- Set rotated files to be owned by root and protected from other users.
- Compress rotated files.
- Keep four rotated files and delete files once they are 1000 days old.
- Set the original file's size to zero after rotation so that services can continue writing to the same file without interruption.
Test the Log Rotation
Use the following script to do a dry run
of the log rotation. The -d
flag is for debugging. The actions are printed to the terminal.
logrotate -df /etc/logrotate.d/metasploit
The terminal output has been truncated using ...
1reading config file /etc/logrotate.d/metasploit2Reading state from file: /var/lib/logrotate/status3Allocating hash table for state file, size 64 entries4Creating new state5Creating new state6Creating new state7...89Handling 1 logs1011rotating pattern: /opt/metasploit/apps/pro/ui/log/reports.log /opt/metasploit/apps/pro/ui/log/exports.log12/opt/metasploit/apps/pro/ui/log/delayed_job.log /opt/metasploit/apps/pro/ui/log/production.log /opt/metasploit/apps/pro/ui/log/thin.log /opt/metasploit/apps/pro/engine/log/production.log /opt/metasploit/apps/pro/engine/prosvc_stderr.log13/opt/metasploit/apps/pro/engine/prosvc_stdout.log /opt/metasploit/apps/pro/engine/config/logs/framework.log /opt/metasploit/apps/pro/engine/config/logs/db.log forced from command line (4 rotations)14empty log files are not rotated, old logs are removed15considering log /opt/metasploit/apps/pro/ui/log/reports.log16Creating new state17Now: 2019-11-22 07:0918Last rotated at 2019-11-22 07:0019log does not need rotating (log is empty)20considering log /opt/metasploit/apps/pro/ui/log/exports.log21Creating new state22Now: 2019-11-22 07:0923Last rotated at 2019-11-22 07:0024log does not need rotating (log is empty)25considering log /opt/metasploit/apps/pro/ui/log/delayed_job.log26...27rotating log /opt/metasploit/apps/pro/ui/log/delayed_job.log, log->rotateCount is 428dateext suffix '-20191122'29glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'30renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.4.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.5.gz (rotatecount 4, logstart 1, i 4),31renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.3.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.4.gz (rotatecount 4, logstart 1, i 3),32renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.2.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.3.gz (rotatecount 4, logstart 1, i 2),33renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.1.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.2.gz (rotatecount 4, logstart 1, i 1),34renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.0.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.1.gz (rotatecount 4, logstart 1, i 0),35log /opt/metasploit/apps/pro/ui/log/delayed_job.log.5.gz doesn't exist -- won't try to dispose of it36copying /opt/metasploit/apps/pro/ui/log/delayed_job.log to /opt/metasploit/apps/pro/ui/log/delayed_job.log.137truncating /opt/metasploit/apps/pro/ui/log/delayed_job.log38compressing log with: /bin/gzip39rotating log /opt/metasploit/apps/pro/ui/log/production.log, log->rotateCount is 440dateext suffix '-20191122'41glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'42renaming /opt/metasploit/apps/pro/ui/log/production.log.4.gz to /opt/metasploit/apps/pro/ui/log/production.log.5.gz (rotatecount 4, logstart 1, i 4),43renaming /opt/metasploit/apps/pro/ui/log/production.log.3.gz to /opt/metasploit/apps/pro/ui/log/production.log.4.gz (rotatecount 4, logstart 1, i 3),44renaming /opt/metasploit/apps/pro/ui/log/production.log.2.gz to /opt/metasploit/apps/pro/ui/log/production.log.3.gz (rotatecount 4, logstart 1, i 2),45renaming /opt/metasploit/apps/pro/ui/log/production.log.1.gz to /opt/metasploit/apps/pro/ui/log/production.log.2.gz (rotatecount 4, logstart 1, i 1),46renaming /opt/metasploit/apps/pro/ui/log/production.log.0.gz to /opt/metasploit/apps/pro/ui/log/production.log.1.gz (rotatecount 4, logstart 1, i 0),47log /opt/metasploit/apps/pro/ui/log/production.log.5.gz doesn't exist -- won't try to dispose of it48copying /opt/metasploit/apps/pro/ui/log/production.log to /opt/metasploit/apps/pro/ui/log/production.log.149truncating /opt/metasploit/apps/pro/ui/log/production.log50compressing log with: /bin/gzip
Handling 1 logs
While the output says Handling 1 logs
, it is rotating all the specified logfiles.
Run the Log Rotation Manually
To run the log rotation manually, just remove the -d
flag. logrotate -f /etc/logrotate.d/metasploit
. The -f
flag is to indicate the file to run.