Since SFOS 19.5.0 at the latest, the advanced shell offers the possibility to better customize the Sophos Firewall log file rotation (logrotation) according to your needs. This post explains the "how" and "where".
Introduction
In version 19.5.0, some changes were made to the rotation of the log files. Unfortunately, I cannot say to what extent the Sophos Firewall log file rotation could be customized in previous releases. I am a friend of using current versions and have therefore not looked closely at previous versions. However, as far as I am correctly informed, this was not possible before (as an end user).
In this post I will show you where and how you can customize the configuration of the log file rotation. Feel free to try it out and share your experiences in the comments.
But first the obligatory maintenance:
The "WHERE"
The configuration of the rotation is located in the directory "/static/logrotate
". There are already two configurations in this directory. One file "big_logrotate.conf
" and one file "small_logrotate.conf
". As the name suggests, one file contains more data than the other.
The configuration is selected via a symlink "logrotate.conf
" that points to one of the two configurations. You can therefore store several configurations and quickly switch back and forth by adjusting the link.
The "HOW"
Basic
Mount file system write
Before making any changes, the file system must first be mounted for writing.
mount -rw remount /
From now on you can create or edit new configurations.
mount -ro remount /
Create and edit your own configurations
You should always leave the original configurations as they are so that you have a way back.
Therefore, you first create a new configuration. Use the following command to copy the "big_logrotate.conf
" to a new file - here: "my_config01.conf
".
You can change the name of the target file as you wish.
cp /static/logrotate/big_logrotate.conf /static/logrotate/my_config01.conf
The new configuration is now available in the "/static/logrotate
" directory. You can edit the file as you wish using "vi
". You will find a few hints below
Activate other configuration
A different configuration can be activated with the following command. However, first check in the directory which original configuration is active on your firewall with a "ls -ls /static/logrotate
" so that you can switch back to the original at the end.
cd /static/logrotate
ln -sf /static/logrotate/my_config01.conf logrotate.conf
The command overwrites the existing symlink "logrotate.conf
" with your new destination ("my_config01.conf
")
The new configuration is now active. You don't need to do anything else here. In my tests, the new configuration was immediately active without restarting any services.
Activate original configuration
The original configuration can be reactivated with the following command. If a different configuration was active, please replace "big_logrotate.conf
" with the corresponding file.
cd /static/logrotate
ln -sf /static/logrotate/big_logrotate.conf logrotate.conf
Adjustments to the configuration
In this block I will introduce you to a few customizations that you can use. The list is not complete, but in my opinion it is sufficient for the most important requirements. After all, it is only intended for troubleshooting.
How is the configuration structured
Global settings
There are a few global settings at the top of the configuration file
- compress
Rotated files should be compressed - dateext
Compressed files should have a date appended to them - dateformat -%Y% m %d_%H%M%S
The date format for the rotated files - missingok
If the log file is not available, no error message is generated and processing continues. - copytruncate
This option truncates the original log file after it has been copied. Normally the old log file is renamed and a new one is created. Do not remove this option, otherwise empty log files will be created! - rotate 2
Number of versions retained including the current one. Here: 2
Dedicated settings per file
The dedicated settings are customizations for individual log files. The original files already contain several blocks that are structured as follows and speak for themselves in terms of content.
#128MB
"/log/reverseproxy.log"
/log/smtpd_main.log
{
size 128M
rotate 3
}
Settings
Below you will find a few settings that you can set per block (and probably also globally - but I've never tested globally!).
- size size
Size of the file from which the log rotation should take effect. The second parameter is the desired size. Examples:- size 128M
- size 50K
- rotate count
count as an integer specifies how many files are to be kept. If not set, the global value is used. The value includes the current log file. - delaycompress
The rotated log file is only compressed from the next run if rotate is greater than 2. This means that the previous log file can still be read directly and does not have to be unpacked first.
Further settings can also be looked up here: man7.org
However, the above settings should be sufficient for most cases.
Have fun trying them out!