Rotating Logs

Rotating logs regularly can make them easier to find. The script below takes advantage of a Unix system utility called Logrotate. Logrotate automatically compresses and rotates log files.

ℹ️

Linux

The following instructions are for Linux.

Create the Log Rotation Script

  1. Make a new file, touch /etc/logrotate.d/metasploit.
  2. Open the file and add the following code.
#
# This list should be kept current with /opt/metasploit/apps/pro/ui/script/diagnostic_logs.rb
#
# Don't use regex, I know it's tempting. Support is very limited in
# logrotate and inconsistent across platforms.
#
/opt/metasploit/apps/pro/ui/log/reports.log /opt/metasploit/apps/pro/ui/log/exports.log
/opt/metasploit/apps/pro/ui/log/delayed_job.log /opt/metasploit/apps/pro/ui/log/production.log /opt/metasploit/apps/pro/ui/log/thin.log /opt/metasploit/apps/pro/engine/log/production.log /opt/metasploit/apps/pro/engine/prosvc_stderr.log
/opt/metasploit/apps/pro/engine/prosvc_stdout.log /opt/metasploit/apps/pro/engine/config/logs/framework.log /opt/metasploit/apps/pro/engine/config/logs/db.log {
# No complaints if the log file is missing
missingok
# Don't rotate empty files
notifempty
# Rotate when >= this size
size 1M
# Or at this frequency:
# daily
# Perms of rotated (old) file
create 0600 root root
# Only keep this many most recent rotated files
rotate 4
# Delete rotated files older than this many days
maxage 1000
# Copy the original log file and set size to 0 during rotation
# to avoid changing the file the service is writing to:
copytruncate
# gzip rotated file
compress
# Include date in rotated file name.
# If enabled this can only run once a day before overwrite!
# dateext
# Adjust format with dateformat. The default is -%Y%m%d
}
  1. Save the file.

As long as Logrotate is running, the default is daily on most Unix systems, , then this should:

  • Rotate all specified logs that are present, not empty, and >= 1 MB in size.
  • Set rotated files to be owned by root and protected from other users.
  • Compress rotated files.
  • Keep four rotated files and delete files once they are 1000 days old.
  • Set the original file’s size to zero after rotation so that services can continue writing to the same file without interruption.

Test the Log Rotation

Use the following script to do a dry run of the log rotation. The -d flag is for debugging. The actions are printed to the terminal. logrotate -df /etc/logrotate.d/metasploit

The terminal output has been truncated using ...

reading config file /etc/logrotate.d/metasploit
Reading state from file: /var/lib/logrotate/status
Allocating hash table for state file, size 64 entries
Creating new state
Creating new state
Creating new state
...

Handling 1 logs

rotating pattern: /opt/metasploit/apps/pro/ui/log/reports.log /opt/metasploit/apps/pro/ui/log/exports.log
/opt/metasploit/apps/pro/ui/log/delayed_job.log /opt/metasploit/apps/pro/ui/log/production.log /opt/metasploit/apps/pro/ui/log/thin.log /opt/metasploit/apps/pro/engine/log/production.log /opt/metasploit/apps/pro/engine/prosvc_stderr.log
/opt/metasploit/apps/pro/engine/prosvc_stdout.log /opt/metasploit/apps/pro/engine/config/logs/framework.log /opt/metasploit/apps/pro/engine/config/logs/db.log  forced from command line (4 rotations)
empty log files are not rotated, old logs are removed
considering log /opt/metasploit/apps/pro/ui/log/reports.log
Creating new state
  Now: 2019-11-22 07:09
  Last rotated at 2019-11-22 07:00
  log does not need rotating (log is empty)
considering log /opt/metasploit/apps/pro/ui/log/exports.log
Creating new state
  Now: 2019-11-22 07:09
  Last rotated at 2019-11-22 07:00
  log does not need rotating (log is empty)
considering log /opt/metasploit/apps/pro/ui/log/delayed_job.log
...
rotating log /opt/metasploit/apps/pro/ui/log/delayed_job.log, log->rotateCount is 4
dateext suffix '-20191122'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.4.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.5.gz (rotatecount 4, logstart 1, i 4), 
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.3.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.4.gz (rotatecount 4, logstart 1, i 3), 
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.2.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.3.gz (rotatecount 4, logstart 1, i 2), 
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.1.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.2.gz (rotatecount 4, logstart 1, i 1), 
renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.0.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.1.gz (rotatecount 4, logstart 1, i 0), 
log /opt/metasploit/apps/pro/ui/log/delayed_job.log.5.gz doesn't exist -- won't try to dispose of it
copying /opt/metasploit/apps/pro/ui/log/delayed_job.log to /opt/metasploit/apps/pro/ui/log/delayed_job.log.1
truncating /opt/metasploit/apps/pro/ui/log/delayed_job.log
compressing log with: /bin/gzip
rotating log /opt/metasploit/apps/pro/ui/log/production.log, log->rotateCount is 4
dateext suffix '-20191122'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /opt/metasploit/apps/pro/ui/log/production.log.4.gz to /opt/metasploit/apps/pro/ui/log/production.log.5.gz (rotatecount 4, logstart 1, i 4), 
renaming /opt/metasploit/apps/pro/ui/log/production.log.3.gz to /opt/metasploit/apps/pro/ui/log/production.log.4.gz (rotatecount 4, logstart 1, i 3), 
renaming /opt/metasploit/apps/pro/ui/log/production.log.2.gz to /opt/metasploit/apps/pro/ui/log/production.log.3.gz (rotatecount 4, logstart 1, i 2), 
renaming /opt/metasploit/apps/pro/ui/log/production.log.1.gz to /opt/metasploit/apps/pro/ui/log/production.log.2.gz (rotatecount 4, logstart 1, i 1), 
renaming /opt/metasploit/apps/pro/ui/log/production.log.0.gz to /opt/metasploit/apps/pro/ui/log/production.log.1.gz (rotatecount 4, logstart 1, i 0), 
log /opt/metasploit/apps/pro/ui/log/production.log.5.gz doesn't exist -- won't try to dispose of it
copying /opt/metasploit/apps/pro/ui/log/production.log to /opt/metasploit/apps/pro/ui/log/production.log.1
truncating /opt/metasploit/apps/pro/ui/log/production.log
compressing log with: /bin/gzip
ℹ️

Handling 1 logs

While the output says Handling 1 logs, it is rotating all the specified logfiles.

Run the Log Rotation Manually

To run the log rotation manually, just remove the -d flag. logrotate -f /etc/logrotate.d/metasploit. The -f flag is to indicate the file to run.