Logrotate - A Rotating Helper for Archiving Logs
Log files are useful when you need to keep track of changes or errors on your server for tracking and troubleshooting purposes. However, if left unchecked, they can grow quite large, taking up lots of disk space and slowing down the process of backing up or resizing a virtual server. This can also make it more challenging to extract data and perform log analysis. When this happens, you have two options: archive the files somewhere else or set up log rotation with tools like logrotate.
What is logrotate?
Logrotate is a Linux utility that allows you to manage logs on a system. It's configured with one or more files in /etc/logrotate.d, each of which contains directives for what should be done with the log file it matches, based on the filename (globbing patterns are also supported).
The most important directive is rotate, which specifies how many times a log file should be kept around. This defaults to one, which means the logs will continue to grow until they fill up your disk and crash the server (not good).
Other directives include size for the maximum size of each rotated file; weekly or monthly time intervals; compression; deletion of old files; rotation by volume (i.e., unlimited logs for a given device or mount point); and more.
How does logrotate work?
Logrotate is run by cron, which means you need to install the package if it's not already present on your system. You can run logrotate manually without cron using a custom schedule, but this is not as common.
Logrotate runs as a service or daemon, so there's no need to worry about starting it yourself. Since it runs on a schedule (usually daily), it will run at the appropriate time and take care of your logs for you. There are several different implementations of cron available, including vixie-cron, dcron, fcron, and more.
Logrotate.conf
Logrotate's main configuration file is located at /etc/logrotate.conf. This file contains the default settings for all of your logrotate configurations. You can override these defaults on a per-configuration basis by creating files in /etc/logrotate.d, but this is usually unnecessary unless you need to use different options for specific logs or directories within the same service (e.g., rotating Apache logs differently from Nginx logs).
Logrotate.d
The "ls /etc/logrotate.d" command is used to see what files are managed by logrotate in application-specific settings. Every file in /etc/logrotate.d, which does not begin with a period, is treated as a configuration file that should be read and processed according to the directives contained within (the .conf portion of the filename). You can also use wildcards, like *.conf or *.weekly, to apply settings to multiple files.
Logrotate Configuration Examples
Here are some examples of common log rotation configurations: Rotating the Apache error log every 12 hours, keeping a maximum of 30 days worth of logs around at any given time (you could also use size=50M if you want to limit each file's size instead):
/etc/logrotate.d/apache-error
/var/log/apache*/access*.log {
missingok
notifempty
sharedscripts
copytruncate
rotate 12
daily
compress
delaycompress
maxage 30
postrotate if [ ! -f /usr/bin/systemctl ]; then ln -s ../init.d/*.service /usr/lib/systemd/system; fi
endscript
}
This same configuration could also be applied to any number of logs with different names by using globbing patterns, like so: /etc/logrotate.d/name*-error*
The Nginx web server log is rotated every hour (as opposed to Apache's default behavior of rotating per request):
/etc/logrotate.d/nginx-error
/var/log/*error*.log {
weekly
missingok
notifempty
sharedscripts
delaycompress
create 640 root adm
postrotate if [ -f /usr/bin/systemctl ]; then ln -s ../init.d/*.service /usr/lib/systemd/system; fi
endscript
}
Find more logrotate configuration examples here.
Common logrotate commands and functionalities
While there are many logrotate directives, here are some of the most common ones and what they mean:
Compress
Old files are compressed with gzip by default, but you can also use bzip compression (bz) or lzma/xz compression (lzma).
Copytruncate
Copies the old log file to a new one and then truncates it. This prevents having long gaps in your logs if something goes wrong during a rotation.
Daily
Rotates the log files once a day. You can also use weekly or monthly modes if you would rather have your logs rotated less frequently than daily, which might be helpful to save on system resources and I/O.
Delaycompress
Instructs logrotate to wait until the next run to compress old files, which is helpful if you want a fresh gzip-compressed copy of your logs from the previous day or week.
Delete
Deletes the old log file after copying it over to a new one, but only if the copy process works successfully. This is generally considered safer than truncate since you won't end up with any broken (uncompressed) files in your logs directory; however, use this with caution because it means that failed log rotations will result in losing the entire contents of your log file.
Extension (ext)
Log files with "ext" in their name are given the specified extension after rotation, which can be helpful if you want to keep rotated files with some sort of timestamp appended.
Forceolddir (forceolddir)
By default, logrotate will only use new directories for creating the next set of rotated logs; this prevents having really messy directory structures full of archived logs. However, if you enable forceolddir (no-olddir), then logrotate will use the old directory even for new files (if it exists).
Maxage
Removes logs older than the specified number of days.
Maxsize
This limits each log file's size to the specified number of bytes. If you use this directive, then be sure that your logrotate config file is set up with maxage as well. Otherwise, files will never get rotated since they've already reached their maximum size.
Minsize
Similar to maxsize but rotates the logs if it detects the new one is smaller than the previous one. This is generally used with postrotate/endscript to check whether or not a log can be safely rotated before actually doing so.
Monthly
Rotates files once per month on whatever day you specify (the first will be relative to whichever day it is that logrotate runs). You could also use "daily" instead of "monthly" and any measurement of time.
Postrotate
This is a command that runs after the logs have been rotated. You can use it to restart services or reload configurations automatically without having to do it manually from inside your web server's configuration files. The endscript directive marks the end of any postrotate commands and indicates when logrotate should resume processing.
Rotate
This directive will rotate a log file even if it isn't being accessed by any process, which you typically want for your logs. If multiple processes are accessing the same log at once, then this can cause problems with data integrity and security so be sure to use one of the "inactive" directives if you want to ensure that your logs are only rotated when no process is using them.
Size (size)
Limits the size of each log file like maxsize does, but without having to specify a maximum age as well; however, it will still rotate files regardless of whether or not they're active.
Tabooext
Prevents specific file extensions from being rotated. This is useful if you want to keep logs in a directory but don't necessarily need them all rotated like the rest of your log files (for example, development or backup logs, which get accessed more frequently). The list can include any number of file extension possibilities; just put each one on its own line.
What happens to my logs when logrotate runs?
Logrotate will rotate the files it manages, which means they'll be renamed with a letter at the end indicating their place in line: the new file is named filename.0, then filename.n (where n is an integer). If your log is still running, the old file will instead be compressed and saved with a .gz extension. As far as your application or server is concerned, nothing has changed other than perhaps some temporary files disappearing (rest assured, these should reappear shortly). The only visible change to syslog or other logging tools should be that logs roll over more frequently. Logrotate will only rotate a log when the current state of that log is at max size, so you should not see massive amounts of old logs piling up.
Summary
As you can see, for something that quietly runs in the background and requires only a few simple config files, logrotate is surprisingly powerful. This guide just barely scratches the surface of what can be done with this utility.
Logs are essential when it comes to diagnosing problems within your server, so it's always advisable to have them rotating, so you don't lose critical data in the event of a crash. With logrotate, you can do this easily and automatically, even with custom rules based on your own needs. Most importantly, however, it can help you keep things under control.