Thursday, February 3, 2011

Is it safe to remove all files in the /var/log when cleaning a server's history?

I need to erase all system logs etc. from a running Debian machine that's primarily running an Apache server.

Is it safe to remove all the files in /var/log without recreating (by touching?) any of them? I.e. will all the standard processes recreate automatically their log files, including with the correct default owner and permissions, if they discover suddenly that the log file is gone?

From serverfault Inshim

  • no, not really. Some log files will not be recreated by the processes writing to them. You might better blank the logfiles, like cat /dev/null > /var/log/

    Inshim : and is it safe to blank all of the files there?
    Inshim : also, is there a single command I can use that will individually blank each file in the dir?
    Pier : for i in /var/log/*.log; do echo "" > $i; done
    Dennis Williamson : @Pier: You need to add `*.gz` and `*.1` at least, plus whatever others there are. And you need to exclude directories, but possible include the files in them. `find` is your friend.
    Kyle Smith : @Dennis - no need to blank, just rm *.[0-9]* and *.gz|bz2 if you're trying to cover tracks.
    Dennis Williamson : @Kyle: Do you mean "@Jasper"?
    From Jasper

  • It's usually best to zero them, as such:

    cp /dev/null /var/log/logname

    That way, if any running process has open file handles for logname, it will be able to keep writing to the file, blissfully ignorant that anything at all has occurred.

    From Starchy

  • reputation too low for commenting, so I put it in an answer:

    To blank each file in /var/log/ including subdirectories, you could issue

    find /var/log/ -type f -exec cp /dev/null {} \;

    (naturally this is untested)

    I would assume yes, it is safe to blank them. However no one will be able to tell for sure without examining the list of logfiles in there or the applications that created them. Debian policy suggests that it should be safe but probably no one has tried.

    If I were you, I would preserve a copy of the directory and check the system's functions afterwards. And not forget to remove the backup :)

    From Moritz Both

  • Some daemons won't be happy until you kill -HUP them so they know that their log file has changed (more particularly when it's a mv). You should know what their behavior is before you do this.

    You should consider using mv, kill -HUP then shred the moved file (instead of cp or echo).

    Also, you might want to read man 8 logrotate for further information.

    Avery Payne : Some daemons use syslog, some do not. It just depends. Killing something that syslog is writing usually is safe (it just spews another file) but killing something that is directly written by the daemon can be a hit-or-miss kind of thing. Gave a point for using `shred`; it may not be as fast as `dd if=/dev/zero of=/var/log/someforgotten.log` but it's far "safer".
    From Dennis Williamson
Posted by Ku XI at 8:45 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)