The Linux operating system consists of many different components. Many of them log their activity directly or indirectly into log files. Over time those log files grow and would eventually fill up the disk if there wasn’t a utility like logrotate. With logrotate in place, the log files are rotated to avoid them filling up the disk. When new programs are installed, it might be necessary to extend the logrotate configuration to include the new log files.
Most, if not all, modern Linux distributions come pre-configured with logrotate. Logrotate is an important little utility. It is started via cron at regular intervals to check for log files to be rotated. As simple as it sounds, logrotate provides a lot of control over the generated log files.
Installing a modern distribution will also install logrotate with a default set of rules to rotate all the log files generated by the Linux distribution. The configuration differs from distribution to distribution due to different log file names or their location. In the following, most of the configuration items will show RHEL/CentOS related directory and filename information.
The logrotate configuration
Logrotate is called via cron and requires at least one argument, the config file. In most distributions this configuration file can be found as “/etc/logrotate.conf“. This configuration file contains the general configuration of the logrotate utility.
$ cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
The configuration of logrotate contains a few types of configuration items which I like to group like this.
Interval – Settings which define how often or when a log-file should be rotated. This can be time and size based. Settings like “daily”, “weekly” or “monthly” define a time interval in which the log-file should be rotated. A setting like “minsize 1M” defines a minimum size for the log file before logrotate will rotate it during the time interval of “daily” for example. While “minsize” is an additional option to the time interval, the “size” option is an alternative to it. It will rotate the log-file on the next log-rotate run when the file has reached a certain size independent of any time interval.
Rotate method – Allows controlling how the rotation is performed. The “copytruncate” option will first create a copy of the file and then truncate the actual log file allowing the daemon to continue to log without the need of being notified about the rotation.
Log handling – These are settings which define how logrotate should handle the rotated logs. “rotate 4” defines for example to keep 4 old rotated log files before they are deleted. The “dateext” will add the date to the file name while rotating it.
Post processing – is a group of settings which define what happens after the rotation of the log file. Should it be compressed (“compress” setting) which can be done immediately or delayed (“delaycompress” setting) should a new log-file be created (“create” setting). And of course the “postrotate” script is an important step to notify the daemon logging to the file about the rotation of its log files.
Of course there are also some other settings controlling other aspects of logrotate as well like “missingok” allowing logrotate to continue without an error if the described file is missing. The “include” option allows you to structure the settings by including more configuration files.
It has become good practice to provide a daemon’s logrotate configuration via the package (rpm, deb, …) in a separate file and store it in the included path. This way each program can provide its own logrotate configuration in a clean way.
Of course there are more possible settings then shown in the example. To get a full list of settings and their options, check the logrotate(8) man page.
Add logrotate configuration
The following example shows how to add two additional log files to logrotate. The file list also allows the use of patterns to match the log files. For details on this, check the logrotate(8) man page.
/var/log/some.log /var/log/daemon/daemon.log {
missingok
daily
dateext
compress
nodelaycompress
nocreate
rotate 4
sharedscripts
postrotate
/etc/init.d/daemon restart || true
endscript
}
The above configuration should be stored in the included “/etc/logrotate.d” directory in a file usually named after the program / daemon writing the log-files.
Logrotate will check for the two listed log-files and, will not fail with an error if one or both of the files are missing (missingok). The files will be rotated “daily”, will be compressed (compress) instantly (nodelaycompress) and 4 rotated log-files will be kept before they are deleted. The “nocreate” instructs logrotate to not create a new logfile after rotating it away.
The postrotate section between the “postrotate” and the “endscript” is a shell script which will be executed for each rotated log-file. The “sharedscript” is used to trigger the post rotate script only once for all the log-files listed in this section.
In the above example, the postrotate section restarts the daemon to trigger the log-files to be reopened by the daemon.
There is more
Beyond this introduction are even more settings in logrotate which allow you to control even more features. Including features like shredding log-files instead of simply deleting them, sending logs via email, more time intervals, exclude lists for file extensions, and more. The logrotate(8) man page explains them all in detail.
Testing the configuration
As always when the configuration is changed, the changes should be tested to make sure no unexpected behavior will arise caused by a typo or any other mistake. To do this, execute the following command.
$ logrotate -d /etc/logrotate.conf reading config file /etc/logrotate.conf including /etc/logrotate.d reading config file dracut reading config info for /var/log/dracut.log reading config file syslog reading config info for /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler reading config file yum reading config info for /var/log/yum.log reading config info for /var/log/wtmp reading config info for /var/log/btmp Handling 9 logs rotating pattern: /var/log/dracut.log 1048576 bytes (4 rotations) empty log files are not rotated, old logs are removed considering log /var/log/dracut.log log does not need rotating rotating pattern: /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler weekly (4 rotations) empty log files are rotated, old logs are removed considering log /var/log/cron log does not need rotating considering log /var/log/maillog log does not need rotating considering log /var/log/messages log does not need rotating considering log /var/log/secure log does not need rotating considering log /var/log/spooler log does not need rotating not running postrotate script, since no logs were rotated rotating pattern: /var/log/yum.log yearly (4 rotations) empty log files are not rotated, old logs are removed considering log /var/log/yum.log log does not need rotating rotating pattern: /var/log/wtmp monthly (1 rotations) empty log files are rotated, only log files >= 1048576 bytes are rotated, old logs are removed considering log /var/log/wtmp log does not need rotating rotating pattern: /var/log/btmp monthly (1 rotations) empty log files are rotated, old logs are removed considering log /var/log/btmp log does not need rotating
The above is an example of a logrotate run with the “-d” option, which enables debug mode. In this mode logrotate will read all configuration and check all log files. Logrotate will report all details (implicitly -v option) but will not actually rotate any log files. This allows you to check the configuration for syntax errors as well as checking its behavior with the newly added configuration.
Read more of my posts on my blog at https://blog.tinned-software.net/.
