Rotating Logs

Rotating logs regularly can make them easier to find. The script below takes advantage of a Unix system utility called Logrotate. Logrotate automatically compresses and rotates log files.

Linux

The following instructions are for Linux.

Create the Log Rotation Script

  1. Make a new file, touch /etc/logrotate.d/metasploit.
  2. Open the file and add the following code.
1
#
2
# This list should be kept current with /opt/metasploit/apps/pro/ui/script/diagnostic_logs.rb
3
#
4
# Don't use regex, I know it's tempting. Support is very limited in
5
# logrotate and inconsistent across platforms.
6
#
7
/opt/metasploit/apps/pro/ui/log/reports.log /opt/metasploit/apps/pro/ui/log/exports.log
8
/opt/metasploit/apps/pro/ui/log/delayed_job.log /opt/metasploit/apps/pro/ui/log/production.log /opt/metasploit/apps/pro/ui/log/thin.log /opt/metasploit/apps/pro/engine/log/production.log /opt/metasploit/apps/pro/engine/prosvc_stderr.log
9
/opt/metasploit/apps/pro/engine/prosvc_stdout.log /opt/metasploit/apps/pro/engine/config/logs/framework.log /opt/metasploit/apps/pro/engine/config/logs/db.log {
10
# No complaints if the log file is missing
11
missingok
12
# Don't rotate empty files
13
notifempty
14
# Rotate when >= this size
15
size 1M
16
# Or at this frequency:
17
# daily
18
# Perms of rotated (old) file
19
create 0600 root root
20
# Only keep this many most recent rotated files
21
rotate 4
22
# Delete rotated files older than this many days
23
maxage 1000
24
# Copy the original log file and set size to 0 during rotation
25
# to avoid changing the file the service is writing to:
26
copytruncate
27
# gzip rotated file
28
compress
29
# Include date in rotated file name.
30
# If enabled this can only run once a day before overwrite!
31
# dateext
32
# Adjust format with dateformat. The default is -%Y%m%d
33
}
  1. Save the file.

As long as Logrotate is running, the default is daily on most Unix systems, , then this should:

  • Rotate all specified logs that are present, not empty, and >= 1 MB in size.
  • Set rotated files to be owned by root and protected from other users.
  • Compress rotated files.
  • Keep four rotated files and delete files once they are 1000 days old.
  • Set the original file's size to zero after rotation so that services can continue writing to the same file without interruption.

Test the Log Rotation

Use the following script to do a dry run of the log rotation. The -d flag is for debugging. The actions are printed to the terminal. logrotate -df /etc/logrotate.d/metasploit

The terminal output has been truncated using ...

1
reading config file /etc/logrotate.d/metasploit
2
Reading state from file: /var/lib/logrotate/status
3
Allocating hash table for state file, size 64 entries
4
Creating new state
5
Creating new state
6
Creating new state
7
...
8
9
Handling 1 logs
10
11
rotating pattern: /opt/metasploit/apps/pro/ui/log/reports.log /opt/metasploit/apps/pro/ui/log/exports.log
12
/opt/metasploit/apps/pro/ui/log/delayed_job.log /opt/metasploit/apps/pro/ui/log/production.log /opt/metasploit/apps/pro/ui/log/thin.log /opt/metasploit/apps/pro/engine/log/production.log /opt/metasploit/apps/pro/engine/prosvc_stderr.log
13
/opt/metasploit/apps/pro/engine/prosvc_stdout.log /opt/metasploit/apps/pro/engine/config/logs/framework.log /opt/metasploit/apps/pro/engine/config/logs/db.log forced from command line (4 rotations)
14
empty log files are not rotated, old logs are removed
15
considering log /opt/metasploit/apps/pro/ui/log/reports.log
16
Creating new state
17
Now: 2019-11-22 07:09
18
Last rotated at 2019-11-22 07:00
19
log does not need rotating (log is empty)
20
considering log /opt/metasploit/apps/pro/ui/log/exports.log
21
Creating new state
22
Now: 2019-11-22 07:09
23
Last rotated at 2019-11-22 07:00
24
log does not need rotating (log is empty)
25
considering log /opt/metasploit/apps/pro/ui/log/delayed_job.log
26
...
27
rotating log /opt/metasploit/apps/pro/ui/log/delayed_job.log, log->rotateCount is 4
28
dateext suffix '-20191122'
29
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
30
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.4.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.5.gz (rotatecount 4, logstart 1, i 4),
31
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.3.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.4.gz (rotatecount 4, logstart 1, i 3),
32
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.2.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.3.gz (rotatecount 4, logstart 1, i 2),
33
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.1.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.2.gz (rotatecount 4, logstart 1, i 1),
34
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.0.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.1.gz (rotatecount 4, logstart 1, i 0),
35
log /opt/metasploit/apps/pro/ui/log/delayed_job.log.5.gz doesn't exist -- won't try to dispose of it
36
copying /opt/metasploit/apps/pro/ui/log/delayed_job.log to /opt/metasploit/apps/pro/ui/log/delayed_job.log.1
37
truncating /opt/metasploit/apps/pro/ui/log/delayed_job.log
38
compressing log with: /bin/gzip
39
rotating log /opt/metasploit/apps/pro/ui/log/production.log, log->rotateCount is 4
40
dateext suffix '-20191122'
41
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
42
renaming /opt/metasploit/apps/pro/ui/log/production.log.4.gz to /opt/metasploit/apps/pro/ui/log/production.log.5.gz (rotatecount 4, logstart 1, i 4),
43
renaming /opt/metasploit/apps/pro/ui/log/production.log.3.gz to /opt/metasploit/apps/pro/ui/log/production.log.4.gz (rotatecount 4, logstart 1, i 3),
44
renaming /opt/metasploit/apps/pro/ui/log/production.log.2.gz to /opt/metasploit/apps/pro/ui/log/production.log.3.gz (rotatecount 4, logstart 1, i 2),
45
renaming /opt/metasploit/apps/pro/ui/log/production.log.1.gz to /opt/metasploit/apps/pro/ui/log/production.log.2.gz (rotatecount 4, logstart 1, i 1),
46
renaming /opt/metasploit/apps/pro/ui/log/production.log.0.gz to /opt/metasploit/apps/pro/ui/log/production.log.1.gz (rotatecount 4, logstart 1, i 0),
47
log /opt/metasploit/apps/pro/ui/log/production.log.5.gz doesn't exist -- won't try to dispose of it
48
copying /opt/metasploit/apps/pro/ui/log/production.log to /opt/metasploit/apps/pro/ui/log/production.log.1
49
truncating /opt/metasploit/apps/pro/ui/log/production.log
50
compressing log with: /bin/gzip

Handling 1 logs

While the output says Handling 1 logs, it is rotating all the specified logfiles.

Run the Log Rotation Manually

To run the log rotation manually, just remove the -d flag. logrotate -f /etc/logrotate.d/metasploit. The -f flag is to indicate the file to run.