Tuesday, July 28, 2015

Find and Locate to search files in Linux System

Finding by Name
The most obvious way of searching for files is by name.

         find -name "query"

This will be case sensitive, meaning a search for "file" is different than a search for "File".

To find a file by name, but ignore the case of the query, type:

          find -iname "query"

If you want to find all files that don't adhere to a specific pattern, you can invert the search with "-not" or "!". If you use "!", you must escape the character so that bash does not try to interpret it before find can act:

          find -not -name "query_to_avoid"

Or

          find \! -name "query_to_avoid"

Finding by Type
You can specify the type of files you want to find with the "-type" parameter. It works like this:

          find -type type_descriptor query

Some of the most common descriptors that you can use to specify the type of file are here:

           f: regular file

           d: directory

           l: symbolic link

           c: character devices

           b: block devices

For instance, if we wanted to find all of the character devices on our system, we could issue this command:

find / -type c
/dev/parport0
/dev/snd/seq
/dev/snd/timer
/dev/autofs
/dev/cpu/microcode
/dev/vcsa7
/dev/vcs7
/dev/vcsa6
/dev/vcs6
/dev/vcsa5
/dev/vcs5
/dev/vcsa4
. . .
We can search for all files that end in ".conf" like this:

        find / -type f -name "*.conf"

/var/lib/ucf/cache/:etc:rsyslog.d:50-default.conf
/usr/share/base-files/nsswitch.conf
/usr/share/initramfs-tools/event-driven/upstart-jobs/mountall.conf
/usr/share/rsyslog/50-default.conf
/usr/share/adduser/adduser.conf
/usr/share/davfs2/davfs2.conf
/usr/share/debconf/debconf.conf
/usr/share/doc/apt-utils/examples/apt-ftparchive.conf
. . .

Filtering by Time and Size
Find gives you a variety of ways to filter results by size and time.

by Size

You can filter by size with the use of the "-size" parameter.

We add a suffix on the end of our value that specifies how we are counting. These are some popular options:

c: bytes

k: Kilobytes

M: Megabytes

G: Gigabytes

b: 512-byte blocks

To find all files that are exactly 50 bytes, type:
find / -size 50c

To find all files less than 50 bytes, we can use this form instead:
find / -size -50c

To Find all files more than 700 Megabytes, we can use this command:

find / -size +700M


By Time

Linux stores time data about access times, modification times, and change times.

Access Time: Last time a file was read or written to.

Modification Time: Last time the contents of the file were modified.

Change Time: Last time the file's inode meta-data was changed.

We can use these with the "-atime", "-mtime", and "-ctime" parameters. These can use the plus and minus symbols to specify greater than or less than, like we did with size.

The value of this parameter specifies how many days ago you'd like to search.

To find files that have a modification time of a day ago, type:

find / -mtime 1
If we want files that were accessed in less than a day ago, we can type:

find / -atime -1
To get files that last had their meta information changed more than 3 days ago, type:

find / -ctime +3
There are also some companion parameters we can use to specify minutes instead of days:

find / -mmin -1

This will give the files that have been modified type the system in the last minute.

Find can also do comparisons against a reference file and return those that are newer:

find / -newer myfile

Finding by Owner and Permissions
You can also search for files by the file owner or group owner.

You do this by using the "-user" and "-group" parameters respectively. Find a file that is owned by the "syslog" user by entering:

find / -user syslog

Similarly, we can specify files owned by the "shadow" group by typing:
find / -group shadow
We can also search for files with specific permissions.

If we want to match an exact set of permissions, we use this form:
find / -perm 644

This will match files with exactly the permissions specified.

If we want to specify anything with at least those permissions, you can use this form:
find / -perm -644

This will match any files that have additional permissions. A file with permissions of "744" would be matched in this instance.

Filtering by Depth
For this section, we will create a directory structure in a temporary directory. It will contain three levels of directories, with ten directories at the first level. Each directory (including the temp directory) will contain ten files and ten subdirectories.

Make this structure by issuing the following commands:

cd
mkdir -p ~/test/level1dir{1..10}/level2dir{1..10}/level3dir{1..10}
touch ~/test/{file{1..10},level1dir{1..10}/{file{1..10},level2dir{1..10}/{file{1..10},level3dir{1..10}/file{1..10}}}}
cd ~/test
Feel free to check out the directory structures with ls and cd to get a handle on how things are organized. When you are finished, return to the test directory:

cd ~/test
We will work on how to return specific files from this structure. Let's try an example with just a regular name search first, for comparison:

find -name file1
./level1dir7/level2dir8/level3dir9/file1
./level1dir7/level2dir8/level3dir3/file1
./level1dir7/level2dir8/level3dir4/file1
./level1dir7/level2dir8/level3dir1/file1
./level1dir7/level2dir8/level3dir8/file1
./level1dir7/level2dir8/level3dir7/file1
./level1dir7/level2dir8/level3dir2/file1
./level1dir7/level2dir8/level3dir6/file1
./level1dir7/level2dir8/level3dir5/file1
./level1dir7/level2dir8/file1
. . .
There are a lot of results. If we pipe the output into a counter, we can see that there are 1111 total results:

find -name file1 | wc -l
1111
This is probably too many results to be useful to you in most circumstances. Let's try to narrow it down.

You can specify the maximum depth of the search under the top-level search directory:

find -maxdepth num -name query

To find "file1" only in the "level1" directories and above, you can specify a max depth of 2 (1 for the top-level directory, and 1 for the level1 directories):

find -maxdepth 2 -name file1
./level1dir7/file1
./level1dir1/file1
./level1dir3/file1
./level1dir8/file1
./level1dir6/file1
./file1
./level1dir2/file1
./level1dir9/file1
./level1dir4/file1
./level1dir5/file1
./level1dir10/file1
That is a much more manageable list.

You can also specify a minimum directory if you know that all of the files exist past a certain point under the current directory:

find -mindepth num -name query
We can use this to find only the files at the end of the directory branches:

find -mindepth 4 -name file
./level1dir7/level2dir8/level3dir9/file1
./level1dir7/level2dir8/level3dir3/file1
./level1dir7/level2dir8/level3dir4/file1
./level1dir7/level2dir8/level3dir1/file1
./level1dir7/level2dir8/level3dir8/file1
./level1dir7/level2dir8/level3dir7/file1
./level1dir7/level2dir8/level3dir2/file1
. . .
Again, because of our branching directory structure, this will return a large number of results (1000).

You can combine the min and max depth parameters to focus in on a narrow range:

find -mindepth 2 -maxdepth 3 -name file
./level1dir7/level2dir8/file1
./level1dir7/level2dir5/file1
./level1dir7/level2dir7/file1
./level1dir7/level2dir2/file1
./level1dir7/level2dir10/file1
./level1dir7/level2dir6/file1
./level1dir7/level2dir3/file1
./level1dir7/level2dir4/file1
./level1dir7/file1
. . .
Executing and Combining Find Commands
You can execute an arbitrary helper command on everything that find matches by using the "-exec" parameter. This is called like this:

find find_parameters -exec command_and_params {} \;
The "{}" is used as a placeholder for the files that find matches. The "\;" is used so that find knows where the command ends.

For instance, we could find the files in the previous section that had "644" permissions and modify them to have "664" permissions:

cd ~/test
find . -type f -perm 644 -exec chmod 664 {} \;
We could then change the directory permissions like this:

find . -type d -perm 755 -exec chmod 700 {} \;
If you want to chain different results together, you can use the "-and" or "-or" commands. The "-and" is assumed if omitted.

find . -name file1 -or -name file9 


Find Files Using Locate:
An alternative to using find is the locate command. This command is often quicker and can search the entire file system with ease.

You can install the command with apt-get:

sudo apt-get update
sudo apt-get install mlocate

The reason locate is faster than find is because it relies on a database of the files on the filesystem.

The database is usually updated once a day with a cron script, but you can update it manually by typing:

sudo updatedb
Run this command now. Remember, the database must always be up-to-date if you want to find recently acquired or created files.

To find files with locate, simply use this syntax:
locate query

You can filter the output in some ways.
For instance, to only return files containing the query itself, instead of returning every file that has the query in the directories leading to it, you can use the "-b" for only searching the "basename":

locate -b query

To have locate only return results that still exist in the filesystem (that were not remove between the last "updatedb" call and the current "locate" call), use the "-e" flag:

locate -e query

To see statistics about the information that locate has cataloged, use the "-S" option:
locate -S

Database /var/lib/mlocate/mlocate.db:
    3,315 directories
    37,228 files
    1,504,439 bytes in file names
    594,851 bytes used to store database

Monday, July 27, 2015

Tomcat log rotation

1. Create this file
/etc/logrotate.d/tomcat  

2. Copy the following contents into the above file

/oracle/mm/prod-tomcat-1/logs/catalina.out {  
 copytruncate  
 daily  
 rotate 7  
 compress  
 missingok  
 size 5M  
}  

About the above configuration:

Make sure that the path /oracle/mm/prod-tomcat-1/logs/catalina.out above is adjusted to point to your tomcat’s catalina.out

daily - rotates the catalina.out daily
rotate – keeps at most 7 log files
compress – compresses the rotated files
size – rotates if the size of catalina.out is bigger than 5M
copytruncate – truncates the original log file in place after creating a copy, instead of moving the old log file and optionally creating a new one, It can be used when some program can not be told to close its logfile and thus might continue writing (appending) to the previous log file forever. Note that there is a very small time slice between copying the file and truncating it, so some logging data might be lost. When this option is used, the create option will have no effect, as the old log file stays in place.

You don’t need to do anything else.

How it works:

Every night the cron daemon runs jobs listed in the /etc/cron.daily/ directory
This triggers the /etc/cron.daily/logrotate file which is generally shipped with linux installations. It runs the command “/usr/sbin/logrotate /etc/logrotate.conf“
The /etc/logrotate.conf includes all scripts in the /etc/logrotate.d/ directory.
This triggers the /etc/logrotate.d/tomcat file that you wrote in the previous step.

Run logrotate manually

Run the following command to run the cron job manually:

/usr/sbin/logrotate /etc/logrotate.conf  

Is it completely safe?

See the description of copytruncate method above. There is a slight chance of a small amount of logging data loss between copy and truncate steps, usually it is acceptable but sometimes its not.


More logrotate options

To see all logrotate options on your system, see the manual:

man logrotate