Been using UNIX since the late 80s; Linux since the mid-90s; virtualization since the early 2000s and spent the past few years working in the cloud space.
Location
Alexandria, VA, USA
Education
B.S. Psychology from Pennsylvania State University
Typically the log files are saved under /var/log which is a persistent directory but not forever.
Unless you've created /var/log as a pseudo-filesystem, everything under it is persistent. It's simply other processes that may be configured to help ensure you don't blow out whatever filesystem /var/log is sitting on.
While many of the log files that get placed in /var/log are accounted for in the default logrotate configurations, it's not safe to simply assume that things will be defaulted away (or, even if they are defaulted for rotation, your system's logging activity may happen too quickly for the default-settings to account for). A couple of things that can be gotchas:
The logs produced by auditd typically aren't rotated by the logrotate service
Depending on how you've set up your syslog – whether you've altered the default logging-paths or added non-default log-outputters – your log files very well may end up being wholly persistent …Even up to the point where your system becomes unusable or even crashses due to having run out of space.
Similarly, if you've configured any of your systemd units to handle their own logging activities (or installed applications that do similarly), you can likewise overflow your system
If you've installed software that don't log into /var/log (Splunk, McAfee and a few other "enterprise" agents are great for this)
In short, always understand what and where your software/services are logging, how quickly they're doing and update your log-rotation utilities configuration(s) to account for it. And, if you're paranoid (or operate under configuration-mandates), it can be helpful to make sure your logging directories are on separate filesystems from your / filesystem.
Probably want to qualify this statement:
Unless you've created
/var/log
as a pseudo-filesystem, everything under it is persistent. It's simply other processes that may be configured to help ensure you don't blow out whatever filesystem/var/log
is sitting on.While many of the log files that get placed in
/var/log
are accounted for in the defaultlogrotate
configurations, it's not safe to simply assume that things will be defaulted away (or, even if they are defaulted for rotation, your system's logging activity may happen too quickly for the default-settings to account for). A couple of things that can be gotchas:auditd
typically aren't rotated by thelogrotate
service/var/log
(Splunk, McAfee and a few other "enterprise" agents are great for this)In short, always understand what and where your software/services are logging, how quickly they're doing and update your log-rotation utilities configuration(s) to account for it. And, if you're paranoid (or operate under configuration-mandates), it can be helpful to make sure your logging directories are on separate filesystems from your
/
filesystem.Yeah! That's for sure. Thanks for clarifying!!