2

Increase Nginx and Openlitespeed Log Rotation Size


Avatar
Jordan

EDIT: This is also the case for Nginx through logrotate.d

/var/log/nginx/*log {
        create 0644 root root
        daily
        maxsize 1M
        rotate 28
        missingok
        notifempty
        compress
        sharedscripts
        postrotate
           /bin/kill -USR1 $(cat /var/run/nginx.pid 2>/dev/null) 2>/dev/null || true
        endscript
}

Openlitespeed is configured to rotate logs when they reach 1MB, which once compressed is under 100k of storage. A high-traffic site will result in 30 files from the same day, effectively making any forensic analysis impossible. This should be raised to 10MB or 20MB.

accesslog $VH_ROOT/logs/maparatunisie.tn.access.log {
  useServer               0
  logFormat               "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"
  logHeaders              7
  rollingSize             1M
  keepDays                0
  compressArchive         1
}

This should be increased to 10MB or 20MB, which is the maximum the active log file will grow before being rotated and compressed with gzip reducing the file size down by at most 90%.

It's super important to have at least 30 days of log file retention, especially for forensic analysis when a site is compromised.

A

Activity Newest / Oldest

S

Steve Bell

Status changed to: Under review

T

Thomas Raef

It would be great if this could be given some attention. I've come across a few situations where we can't get the log files past 30 days because of these settings. I pride myself on root cause analysis and the current settings really hamper my efforts.