Date: Sat, 11 Oct 2008 09:46:33 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Kelly Jones <kelly.terry.jones@gmail.com> Cc: techtalk@linuxchix.org, freebsd-questions@freebsd.org, nmosug-l@mailman.swcp.com, nmlug@nmlug.org Subject: Re: newsyslog naming scheme could be improved? Message-ID: <20081011164633.GA67326@icarus.home.lan> In-Reply-To: <26face530810110933o1403705o625586ac53b309fb@mail.gmail.com> References: <26face530810110933o1403705o625586ac53b309fb@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 11, 2008 at 09:33:42AM -0700, Kelly Jones wrote: > newsyslog rotates logfiles so that messages.0.gz is yesterday's file, > messages.1.gz is the day before's, etc. > > This is ugly. If I tell my fellow sysadmins that I ran this command: > > zfgrep 'bad thing' /var/log/messages.4.gz > > and found stuff, they may run it the next day and get different > results because the file is now messages.5.gz Is it possible to educate your co-workers into looking at timestamps on files before randomly assuming that EVERYTHING ends up in .4.gz? :-) Surely your co-workers aren't that dense. Or you can have them use zgrep 'bad thing' /var/log/messages.*.gz and tell them "pay close attention to the timestamps shown!!" That might work as a better work-around. > Improving my cow-orkers intelligence would be the ideal solution, but > has anyone considered tweaking newsyslog to name files > messages.2008-10-05-12-00-00.gz or something. IE, give them a constant > name that doesn't change and then delete them after how many ever > days? I'd vote for the following strftime(3) format: "%Y%m%dT%H%M". Otherwise known as: YYYYMMDDThhmm YYYY = Year (4-digit) MM = Month (01 to 12) DD = Day (01 to 31) T = Literal ASCII string "T" hh = Hour (24-hour time, e.g. 00 to 23) mm = Minute (00 to 59) The "T" aspect is optional, but it's what we use at my workplace, and makes recognising the hour-minute portion easier. I don't think we need second-level granularity on this stuff; even minute granularity is questionable (because not all logs will get rotated at exactly 00 minutes; they might take 20 minutes to compress based on system load, etc...), since you'd have inconsistencies in the filenames, e.g.: messages.20081005T0000.gz messages.20081006T0001.gz messages.20081007T0001.gz messages.20081008T0000.gz messages.20081009T0002.gz And so on. Food for thought. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081011164633.GA67326>