Debian: logrotate won’t rotate logs with an “unknown group ‘syslog'” error

By | 10/09/2019
0 Comment

We have an AWS EC2 with Debian and logrotate.

One day its root partition was exhausted and when I started investigating it – found, that we have a bunch of files like /var/log/syslog.N.gz.

At the same time by default logrotate creates a config file to rotate syslog log files:

[simterm]

root@monitoring-dev:~# cat /etc/logrotate.d/syslog 
# Ansible managed
/var/log/syslog {
    size 10M
    rotate 1
    daily
...
}

[/simterm]

Thus, we must have only files syslog + syslog.1, but instead:

[simterm]

root@monitoring-dev:~# ll /var/log/ | grep syslog
-rw-r----- 1 root        adm      11925 Oct  9 09:26 syslog
-rw-r----- 1 root        adm     361150 Oct  9 06:25 syslog.1
-rw-r----- 1 root        adm       7712 Oct  8 06:25 syslog.2.gz
-rw-r----- 1 root        adm       7562 Oct  7 06:25 syslog.3.gz
-rw-r----- 1 root        adm       7832 Oct  6 06:25 syslog.4.gz
-rw-r----- 1 root        adm       7720 Oct  5 06:25 syslog.5.gz
-rw-r----- 1 root        adm       7641 Oct  4 06:25 syslog.6.gz
-rw-r----- 1 root        adm       8072 Oct  3 06:25 syslog.7.gz

[/simterm]

Let’s check – run logrotate with the --debug option:

[simterm]

root@monitoring-dev:~# logrotate -d /etc/logrotate.conf
reading config file /etc/logrotate.conf
error: /etc/logrotate.conf:5 unknown group 'syslog'
removing last 0 log configs

[/simterm]

unknown group ‘syslog’

And here is our error.

The error appears because of the fact that Debian OS has no syslog users group, but instead it has an adm group which is the default user group for log-files.

Check the /etc/logrotate.conf content:

# Ansible managed

# see "man logrotate" for details
weekly
su root syslog
...

And check existing users groups:

[simterm]

root@monitoring-dev:~# cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:admin
...

[/simterm]

Replace syslog with adm:

# Ansible managed 

# see "man logrotate" for details
weekly
su root adm
...

And check again:

[simterm]

root@monitoring-dev:~# logrotate -d /etc/logrotate.conf
reading config file /etc/logrotate.conf
including /etc/logrotate.d
reading config file apt
reading config file certbot
reading config file chrony
reading config file daemonlog
reading config file dpkg
reading config file exim4-base
reading config file exim4-paniclog
reading config file nginx
reading config file rsyslog
reading config file syslog
reading config file unattended-upgrades
Reading state from file: /var/lib/logrotate/status
Allocating hash table for state file, size 64 entries
...

[/simterm]

Done.