In this post, I’m going to show you how I told FreeBSD’s newsyslog to ignore any compression directives and just rotate the file. I will also speculate about some historical items which may be widely incorrect. If you wish to correct any inaccuracies, I will update them here.
In this post:
- FreeBSD 15
- wild speculation as to how logging, newsyslog, and compression evovled
- many paragraphs which aren’t related, but you may find interesting, so skip to the end if in a hurry
Way back when…
Logging is good. Log files fill up. Disk space was expensive. Let’s rotate them away. And newsyslog was born.
I know how we can save more disk space! Compress the rotated files. Nobody writes to them. We can save space!
Let’s add this new algorithm for compression, it’ll be faster and save even more space!
I enjoy how new features come in to meet preferences and optimizations. This post talks about one such change.
Then ZFS came along
One of the fantastic ZFS features is filesystem compression. With modern CPUs and drives, it is faster to read and decompress the data from disk than it is to just read uncompressed data from disk. The throughput is faster.
FYI, I recently decided to use zstd compression over the default lz4 compression.
newsyslog compression
This is a typical log rotation scenario:
[12:19 nagios04 dvl ~] % ls -l /var/log/messages* -rw-r--r-- 1 root wheel 414580 2026.05.10 11:35 /var/log/messages -rw-r--r-- 1 root wheel 38164 2026.04.28 14:00 /var/log/messages.0.bz2 -rw-r--r-- 1 root wheel 48391 2026.03.18 17:00 /var/log/messages.1.bz2 [12:19 nagios04 dvl ~] %
That rotation and compression is controlled here:
[12:19 nagios04 dvl ~] % grep messages /etc/newsyslog.conf # contents of maillog, messages, and lpd-errs to be confidential. In the /var/log/messages 644 5 1000 @0101T JC
See man 8 newsyslog.conf for detail.
The J directives says the file is compressible, which is why you see the bz2 suffix.
The duplication of effort
In the above situation, ZFS is compressing the data on-the-fly. Then newsylog comes along and decompresses it at the file-contents level. ZFS then can’t do much about compressing the already-compressed data.
A goal: don’t do that. Just let ZFS compress the data. It will be much better at it.
Reviewing logs
From time to time, I review logs, looking for something that happened.
Here’s an example, taken from command history, from FreshPorts. In this output, I’m counting the number of web requests per day over the last two weeks (plus today). The logs are rotated daily. First, I sort those logs by date, then do the line count
[12:26 aws-1 dvl ~] % sudo wc -l $(ls -t /jails/nginx01/var/log/nginx/freshports.org-access.log*) 186365 /jails/nginx01/var/log/nginx/freshports.org-access.log 530253 /jails/nginx01/var/log/nginx/freshports.org-access.log.0 681046 /jails/nginx01/var/log/nginx/freshports.org-access.log.1 992448 /jails/nginx01/var/log/nginx/freshports.org-access.log.2 1131488 /jails/nginx01/var/log/nginx/freshports.org-access.log.3 451385 /jails/nginx01/var/log/nginx/freshports.org-access.log.4 418666 /jails/nginx01/var/log/nginx/freshports.org-access.log.5 1622017 /jails/nginx01/var/log/nginx/freshports.org-access.log.6 1830966 /jails/nginx01/var/log/nginx/freshports.org-access.log.7 3387571 /jails/nginx01/var/log/nginx/freshports.org-access.log.8 761097 /jails/nginx01/var/log/nginx/freshports.org-access.log.9 712777 /jails/nginx01/var/log/nginx/freshports.org-access.log.10 1054190 /jails/nginx01/var/log/nginx/freshports.org-access.log.11 778871 /jails/nginx01/var/log/nginx/freshports.org-access.log.12 435143 /jails/nginx01/var/log/nginx/freshports.org-access.log.13 14974283 total [12:27 aws-1 dvl ~] % date Sun May 10 12:27:20 UTC 2026
If these files are .bz2 files, this little command will be more complicated.
I don’t even want to show that one.
What to do about it
As you can see, the logs above are not compressed. It is controlled by a configuration file I created:
[12:32 aws-1 dvl ~] % grep /var/log/nginx/freshports.org-access.log /jails/nginx01/usr/local/etc/newsyslog.conf.d/freshports-www.conf /var/log/nginx/freshports.org-access.log www:logcheck 640 14 * $D0 B
What about system log files?
I modified /etc/newsyslog.conf – see, no compression flags:
[12:31 aws-1 dvl ~] % grep J /etc/newsyslog.conf [12:31 aws-1 dvl ~] %
Which gives logs like this:
[12:32 aws-1 dvl ~] % ls -l /var/log/messages* -rw-r--r-- 1 root wheel 786212 2026.05.10 12:20 /var/log/messages -rw-r--r-- 1 root wheel 1056498 2026.05.01 03:00 /var/log/messages.0 -rw-r--r-- 1 root wheel 1023425 2026.04.20 15:00 /var/log/messages.1 -rw-r--r-- 1 root wheel 1023835 2026.03.14 14:00 /var/log/messages.2 -rw-r--r-- 1 root wheel 1023533 2026.02.09 20:00 /var/log/messages.3 -rw-r--r-- 1 root wheel 644428 2026.01.01 00:00 /var/log/messages.4
A great solution. It works. It works well. Until.
Oh, what about upgrades
Modifying system-provided configuration files such as /etc/newsyslog.conf adds a complication to upgrades – merging in changes from the new release.
For one line, no big deal, however there are 15 lines with compression settings in a standard /etc/newsyslog.conf – I know I’m going to miss something. I’d rather avoid that extra work.
Tell the system not to compress rotated log files
This section provides a historical overview of how this new feature came about.
Most of these links are to reviews.freebsd.org.
On Dec 7 2023, Do not compress log files was created:
With ZFS now widely used and the default install doing compression, we no
longer have to compress log files to save space.This is a quality-of-life fix, mainly. to make it easier to search all logs
with the same command. e.g. you don’t have to use bzgrep.
It included a newsyslog.conf file without the J option. This proposal was rightly rejected because, amongst other things, it ignored all the non-ZFS users and those ZFS users not using compression (long may their reads last).
That review was abandoned in favor of newsyslog(8): Add option to globally override compression method. That idea was preferred (at least by me) because it was one switch, and did not modify the configuration file. In short, it was a -c option added to newsyslog.
Later, newsyslog(8): Add support of specifying compression method in configuration file was proposed. This is what was eventually adopted and included into FreeBSD on Dec 23 2023 and the -c option was removed.
My thanks to Xin LI (delphij) for the work on this feature. I’m only just now coming to use it.
How I’m using it
Yesterday I started looking at my existing newsyslog.conf files and reconciling all my local changes. On one host (with 34 jails), I found 8 different versions of that file. I’m sure most of these are very subtle changes.
I started by going back to the original file (https://cgit.freebsd.org/src/plain/usr.sbin/newsyslog/newsyslog.conf?h=releng/15.0) and comparing. On some hosts, lines had disappeared, presumably unintentionally omitted during the manual merge process during an upgrade. After some work on spaces vs tabs, a different value in the size column, and some owner:group issues, I had what I called my standard newsyslog.conf file. Then I added <compression> none to the top of the file.
I copied that file to several hosts and waited for rotation to proceed naturally.
Here’s an example, from dev.freshports.org:
[13:19 dev-nginx01 dvl ~] % ls -l /etc/newsyslog.conf -rw-r----- 1 root wheel 1744 2026.05.09 13:34 /etc/newsyslog.conf [13:19 dev-nginx01 dvl ~] % ls -l /var/log/auth.log* -rw-r----- 1 root logcheck 91939 2026.05.10 13:18 /var/log/auth.log -rw-r----- 1 root logcheck 103518 2026.05.10 08:00 /var/log/auth.log.0 -rw-r----- 1 root logcheck 103476 2026.05.10 02:00 /var/log/auth.log.1 -rw-r----- 1 root logcheck 103521 2026.05.09 20:00 /var/log/auth.log.2 -rw-r----- 1 root logcheck 238717891 2026.05.09 14:00 /var/log/auth.log.3 -rw-r----- 1 root logcheck 4437 2024.06.28 19:00 /var/log/auth.log.4.bz2 -rw-r----- 1 root logcheck 4505 2024.06.28 10:00 /var/log/auth.log.5.bz2 -rw-r----- 1 root logcheck 4711 2024.06.28 01:00 /var/log/auth.log.6.bz2
That’s a huge .3 log file.. oh I see now, I wasn’t rotating that file for nearly two years. I’m sure that was a missing entry from the configuration file, and recently fixed.
The points being:
- the log files are not compressed
- the new directive is working as expected
The file I’m using
This is the file I’m using on that host:
[13:20 dev-nginx01 dvl ~] % cat /etc/newsyslog.conf <compress> none # configuration file for newsyslog # # Entries which do not specify the '/pid_file' field will cause the # syslogd process to be signalled when that log file is rotated. This # action is only appropriate for log files which are written to by the # syslogd process (ie, files listed in /etc/syslog.conf). If there # is no process which needs to be signalled when a given log file is # rotated, then the entry for that file should include the 'N' flag. # # Note: some sites will want to select more restrictive protections than the # defaults. In particular, it may be desirable to switch many of the 644 # entries to 640 or 600. For example, some sites will consider the # contents of maillog, messages, and lpd-errs to be confidential. In the # future, these defaults may change to more conservative ones. # # logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] /var/log/all.log 600 7 * @T00 J /var/log/auth.log root:logcheck 640 7 100 @0101T JC /var/log/console.log 600 5 1000 * J /var/log/cron 600 3 1000 * JC /var/log/daemon.log 644 5 1000 @0101T JC /var/log/daily.log 640 7 * @T00 JN /var/log/debug.log 600 7 1000 * JC /var/log/devd.log 644 3 1000 * JC /var/log/init.log 644 3 1000 * J /var/log/kerberos.log 600 7 1000 * J /var/log/maillog root:logcheck 640 7 * @T00 JC /var/log/messages 644 5 1000 @0101T JC /var/log/monthly.log 640 12 * $M1D0 JN /var/log/security 600 10 1000 * JC /var/log/utx.log 644 3 * @01T05 B /var/log/weekly.log 640 5 * $W6D0 JN <include> /etc/newsyslog.conf.d/[!.]*.conf <include> /usr/local/etc/newsyslog.conf.d/[!.]*.conf
For comparison, this is a diff against the original file from FreeBSD 15.0.
The changes are:
- added the compression directive
- The auth.log owner:group specifications are different and size (size will probably be updated to match 15.0)
- the maillog owner:group specifications are different
In short, I’ve added compress and some chown stuff.
[13:23 dev-nginx01 dvl ~] % diff -ruN ~/newsyslog.conf.from.15.0 /etc/newsyslog.conf --- /usr/home/dvl/newsyslog.conf.from.15.0 2026-05-10 13:24:38.106872000 +0000 +++ /etc/newsyslog.conf 2026-05-09 13:34:35.022623000 +0000 @@ -1,3 +1,5 @@ +none + # configuration file for newsyslog # # Entries which do not specify the '/pid_file' field will cause the @@ -15,7 +17,7 @@ # # logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] /var/log/all.log 600 7 * @T00 J -/var/log/auth.log 600 7 1000 @0101T JC +/var/log/auth.log root:logcheck 640 7 100 @0101T JC /var/log/console.log 600 5 1000 * J /var/log/cron 600 3 1000 * JC /var/log/daemon.log 644 5 1000 @0101T JC @@ -24,7 +26,7 @@ /var/log/devd.log 644 3 1000 * JC /var/log/init.log 644 3 1000 * J /var/log/kerberos.log 600 7 1000 * J -/var/log/maillog 640 7 * @T00 JC +/var/log/maillog root:logcheck 640 7 * @T00 JC /var/log/messages 644 5 1000 @0101T JC /var/log/monthly.log 640 12 * $M1D0 JN /var/log/security 600 10 1000 * JC
What’s left for me to do
I will roll this out to all my hosts/jails soon. It is implemented on many of them now.
