Rotating Logs

Rotating logs regularly can make them easier to find. The script below takes advantage of a Unix system utility called Logrotate. Logrotate automatically compresses and rotates log files.

ℹ️

Linux

The following instructions are for Linux.

Create the Log Rotation Script

  1. Make a new file, touch /etc/logrotate.d/metasploit.
  2. Open the file and add the following code.
# # This list should be kept current with /opt/metasploit/apps/pro/ui/script/diagnostic_logs.rb # # Don't use regex, I know it's tempting. Support is very limited in # logrotate and inconsistent across platforms. # /opt/metasploit/apps/pro/ui/log/reports.log /opt/metasploit/apps/pro/ui/log/exports.log /opt/metasploit/apps/pro/ui/log/delayed_job.log /opt/metasploit/apps/pro/ui/log/production.log /opt/metasploit/apps/pro/ui/log/thin.log /opt/metasploit/apps/pro/engine/log/production.log /opt/metasploit/apps/pro/engine/prosvc_stderr.log /opt/metasploit/apps/pro/engine/prosvc_stdout.log /opt/metasploit/apps/pro/engine/config/logs/framework.log /opt/metasploit/apps/pro/engine/config/logs/db.log { # No complaints if the log file is missing missingok # Don't rotate empty files notifempty # Rotate when >= this size size 1M # Or at this frequency: # daily # Perms of rotated (old) file create 0600 root root # Only keep this many most recent rotated files rotate 4 # Delete rotated files older than this many days maxage 1000 # Copy the original log file and set size to 0 during rotation # to avoid changing the file the service is writing to: copytruncate # gzip rotated file compress # Include date in rotated file name. # If enabled this can only run once a day before overwrite! # dateext # Adjust format with dateformat. The default is -%Y%m%d }
  1. Save the file.

As long as Logrotate is running, the default is daily on most Unix systems, , then this should:

  • Rotate all specified logs that are present, not empty, and >= 1 MB in size.
  • Set rotated files to be owned by root and protected from other users.
  • Compress rotated files.
  • Keep four rotated files and delete files once they are 1000 days old.
  • Set the original file’s size to zero after rotation so that services can continue writing to the same file without interruption.

Test the Log Rotation

Use the following script to do a dry run of the log rotation. The -d flag is for debugging. The actions are printed to the terminal. logrotate -df /etc/logrotate.d/metasploit

The terminal output has been truncated using ...

reading config file /etc/logrotate.d/metasploit Reading state from file: /var/lib/logrotate/status Allocating hash table for state file, size 64 entries Creating new state Creating new state Creating new state ... Handling 1 logs rotating pattern: /opt/metasploit/apps/pro/ui/log/reports.log /opt/metasploit/apps/pro/ui/log/exports.log /opt/metasploit/apps/pro/ui/log/delayed_job.log /opt/metasploit/apps/pro/ui/log/production.log /opt/metasploit/apps/pro/ui/log/thin.log /opt/metasploit/apps/pro/engine/log/production.log /opt/metasploit/apps/pro/engine/prosvc_stderr.log /opt/metasploit/apps/pro/engine/prosvc_stdout.log /opt/metasploit/apps/pro/engine/config/logs/framework.log /opt/metasploit/apps/pro/engine/config/logs/db.log forced from command line (4 rotations) empty log files are not rotated, old logs are removed considering log /opt/metasploit/apps/pro/ui/log/reports.log Creating new state Now: 2019-11-22 07:09 Last rotated at 2019-11-22 07:00 log does not need rotating (log is empty) considering log /opt/metasploit/apps/pro/ui/log/exports.log Creating new state Now: 2019-11-22 07:09 Last rotated at 2019-11-22 07:00 log does not need rotating (log is empty) considering log /opt/metasploit/apps/pro/ui/log/delayed_job.log ... rotating log /opt/metasploit/apps/pro/ui/log/delayed_job.log, log->rotateCount is 4 dateext suffix '-20191122' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.4.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.5.gz (rotatecount 4, logstart 1, i 4), renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.3.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.4.gz (rotatecount 4, logstart 1, i 3), renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.2.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.3.gz (rotatecount 4, logstart 1, i 2), renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.1.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.2.gz (rotatecount 4, logstart 1, i 1), renaming /opt/metasploit/apps/pro/ui/log/delayed_job.log.0.gz to /opt/metasploit/apps/pro/ui/log/delayed_job.log.1.gz (rotatecount 4, logstart 1, i 0), log /opt/metasploit/apps/pro/ui/log/delayed_job.log.5.gz doesn't exist -- won't try to dispose of it copying /opt/metasploit/apps/pro/ui/log/delayed_job.log to /opt/metasploit/apps/pro/ui/log/delayed_job.log.1 truncating /opt/metasploit/apps/pro/ui/log/delayed_job.log compressing log with: /bin/gzip rotating log /opt/metasploit/apps/pro/ui/log/production.log, log->rotateCount is 4 dateext suffix '-20191122' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' renaming /opt/metasploit/apps/pro/ui/log/production.log.4.gz to /opt/metasploit/apps/pro/ui/log/production.log.5.gz (rotatecount 4, logstart 1, i 4), renaming /opt/metasploit/apps/pro/ui/log/production.log.3.gz to /opt/metasploit/apps/pro/ui/log/production.log.4.gz (rotatecount 4, logstart 1, i 3), renaming /opt/metasploit/apps/pro/ui/log/production.log.2.gz to /opt/metasploit/apps/pro/ui/log/production.log.3.gz (rotatecount 4, logstart 1, i 2), renaming /opt/metasploit/apps/pro/ui/log/production.log.1.gz to /opt/metasploit/apps/pro/ui/log/production.log.2.gz (rotatecount 4, logstart 1, i 1), renaming /opt/metasploit/apps/pro/ui/log/production.log.0.gz to /opt/metasploit/apps/pro/ui/log/production.log.1.gz (rotatecount 4, logstart 1, i 0), log /opt/metasploit/apps/pro/ui/log/production.log.5.gz doesn't exist -- won't try to dispose of it copying /opt/metasploit/apps/pro/ui/log/production.log to /opt/metasploit/apps/pro/ui/log/production.log.1 truncating /opt/metasploit/apps/pro/ui/log/production.log compressing log with: /bin/gzip
ℹ️

Handling 1 logs

While the output says Handling 1 logs, it is rotating all the specified logfiles.

Run the Log Rotation Manually

To run the log rotation manually, just remove the -d flag. logrotate -f /etc/logrotate.d/metasploit. The -f flag is to indicate the file to run.