How to Force Manual Log Rotation for rsyslogd and Resolve “unknown option” Errors


2 views

When attempting to manually rotate syslog files using logrotate -f /var/log/syslog, many administrators encounter these frustrating errors:

error: syslog:1 unknown option 'May' -- ignoring line
error: syslog:1 unexpected text

This typically occurs because the command is being executed incorrectly against the active log file rather than the logrotate configuration.

For rsyslogd specifically, you have several options to properly rotate logs:

# Method 1: Using logrotate correctly
sudo logrotate -f /etc/logrotate.d/rsyslog

# Method 2: Sending HUP signal to rsyslogd
sudo kill -HUP $(cat /var/run/rsyslogd.pid)

# Method 3: Using rsyslog's internal mechanism
sudo systemctl kill -s HUP rsyslog.service

The initial approach fails because:

  • /var/log/syslog is the data file, not the configuration
  • logrotate interprets the first line of the log as a malformed configuration
  • rsyslog maintains an active file handle to the log

Here's a full workflow to properly rotate and empty syslog:

# 1. Backup current log
sudo cp /var/log/syslog /var/log/syslog.backup

# 2. Force rotation via config
sudo logrotate -vf /etc/logrotate.d/rsyslog

# 3. Verify new empty log was created
ls -la /var/log/syslog

# 4. Optional: Compress old logs
find /var/log -name "syslog.*" -exec gzip {} \;

Ensure your /etc/logrotate.d/rsyslog contains proper directives:

/var/log/syslog
{
    rotate 7
    daily
    missingok
    notifempty
    delaycompress
    compress
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

If issues persist:

  • Check rsyslog process status: ps aux | grep rsyslog
  • Verify permissions: ls -la /var/log/syslog
  • Inspect logrotate debug output: add -d flag

When attempting to manually rotate /var/log/syslog using:

sudo logrotate -f /var/log/syslog

You might encounter errors like:

error: syslog:1 unknown option 'May' -- ignoring line
error: syslog:1 unexpected text

The logrotate -f command expects a configuration file, not the log file itself. The errors occur because it tries to interpret your log file as a configuration file.

Method 1: Using rsyslog's Built-in Rotation

Send a HUP signal to rsyslogd:

sudo kill -HUP $(cat /var/run/rsyslogd.pid)

Or using systemd:

sudo systemctl kill -s HUP rsyslog.service

Method 2: Using Logrotate Correctly

Create or modify the logrotate configuration (typically at /etc/logrotate.d/rsyslog):

/var/log/syslog
{
    rotate 7
    daily
    missingok
    notifempty
    delaycompress
    compress
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

Then run:

sudo logrotate -f /etc/logrotate.d/rsyslog

Method 3: Manual Rotation

For immediate rotation without keeping old logs:

sudo truncate -s 0 /var/log/syslog
sudo systemctl restart rsyslog
  • Always ensure you have proper permissions (use sudo)
  • Consider making backups before major log operations
  • On some systems, the pid file might be at /run/rsyslogd.pid