Logrotate is a powerful utility designed to manage and automate the rotation, compression, removal, and mailing of log files. This comprehensive guide covers all essential aspects of logrotate to help you effectively manage system logs.
- Basic Concepts
- Configuration Files
- Global Options
- Log File Definition Options
- Scripts Execution
- Compression Options
- Date Extension Options
- Include Directive
- Debugging and Testing
- Force Rotation
- State File
- Common Pitfalls
- Examples
- Best Practices
- References
- Rotation: Renaming a log file and creating a new one.
- Compression: Reducing the size of rotated log files.
- Retention: Keeping a specified number of old log files.
- Scripts: Commands executed before or after rotation.
-
Main Configuration File:
/etc/logrotate.conf -
Additional Configuration: Files in
/etc/logrotate.d/are included by default. -
Syntax:
<path/to/logfile> { options }
Global options are set outside of any log file definition and apply to all logs unless overridden.
- frequency:
dailyweeklymonthlyyearly
- rotate <count>: Number of times to rotate before deletion.
- compress: Compresses logs after rotation.
- nocompress: Does not compress logs.
- delaycompress: Compress logs on the next rotation cycle.
- create [mode owner group]: Creates a new log file with specified permissions.
- nocreate: Does not create a new log file after rotation.
- mail <address>: Emails the log file to the specified address.
- nomail: Does not email the log file.
- ifempty: Rotates the log file even if it's empty.
- notifempty: Does not rotate empty log files.
- missingok: Ignores missing log files without error.
- sharedscripts: Runs scripts once per group of logs.
- postrotate/endscript: Commands to execute after rotation.
These options are specified within a log file's braces {} and override global options.
- size <size>: Rotates if log file reaches specified size.
- Units: bytes (default),
k(kilobytes),M(megabytes),G(gigabytes).
- Units: bytes (default),
- minsize <size>: Minimum size to trigger rotation.
- maxsize <size>: Maximum size before forceful rotation.
- maxage <days>: Removes logs older than specified days.
- olddir <directory>: Moves rotated logs to specified directory.
- su <user group>: Rotates logs using specified user and group.
- copytruncate: Copies and truncates the original log file.
- nocopytruncate: Does not truncate the original log file.
- copy: Copies the log file instead of moving/truncating.
- nocopy: Default behavior; does not copy the log file.
Scripts can be executed at different stages:
- prerotate/endscript: Executes before rotation.
- postrotate/endscript: Executes after rotation.
- firstaction/endscript: Executes once before any logs are rotated.
- lastaction/endscript: Executes once after all logs are rotated.
Example:
/var/log/example.log {
weekly
rotate 4
postrotate
systemctl reload example.service
endscript
}
- compress: Compresses rotated logs using
gzipby default. - nocompress: Does not compress rotated logs.
- compresscmd <command>: Specifies a custom compression command.
- uncompresscmd <command>: Specifies a custom decompression command.
- compressoptions <options>: Options passed to the compression command.
- compressext <extension>: Sets custom extension for compressed files.
- dateext: Appends the date to rotated logs.
- dateformat <format>: Custom date format (used with
dateext).- Format Specifiers:
%Y: Year (e.g., 2024)%m: Month (01..12)%d: Day (01..31)%s: Seconds since epoch
- Format Specifiers:
Example:
dateext
dateformat -%Y-%m-%d
- include <file or directory>: Includes additional configuration files.
Example in /etc/logrotate.conf:
include /etc/logrotate.d
-
Dry Run: Use
-dto simulate actions without making changes.logrotate -d /etc/logrotate.conf
-
Verbose Mode: Use
-vfor detailed output.logrotate -v /etc/logrotate.conf
-
Check Configuration: Use
-fto force rotation and test configurations.
-
Use
-fto force rotation regardless of rotation schedule.sudo logrotate -f /etc/logrotate.conf
-
Default State File:
/var/lib/logrotate/status -
Contains timestamps of last rotation.
-
Custom State File: Use
-sto specify a different state file.logrotate -s /path/to/statefile /etc/logrotate.conf
- Permissions: Ensure
logrotatehas appropriate permissions. - Service Notification: Some services need to be reloaded after rotation.
- Copytruncate vs. Create: Choose based on application logging behavior.
- Script Errors: Verify scripts in
prerotateandpostrotateblocks.
/var/log/messages {
rotate 5
weekly
postrotate
systemctl reload rsyslog
endscript
}
/var/log/secure {
rotate 4
weekly
compress
missingok
notifempty
}
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
delaycompress
}
/var/log/myapp.log {
size 50M
rotate 7
compress
}
/var/log/httpd/*.log {
daily
rotate 14
missingok
notifempty
sharedscripts
postrotate
systemctl reload httpd
endscript
}
- Test Configurations: Always use
-doption before applying changes. - Monitor Disk Space: Regularly check log sizes and disk usage.
- Service Compatibility: Ensure services support log rotation mechanisms.
- Consistent Naming: Use date extensions for easier log management.
- Security: Secure log files with appropriate permissions.
-
Manual Page: Access the logrotate manual.
man logrotate
-
Online Resources:
Note: This cheatsheet provides a comprehensive overview of logrotate functionalities up to October 2023. Always refer to the latest documentation or man pages for the most current information.
Prompt (to 4o): maxsize and minsize still sound identical
It does seem like
maxsizeandminsizecould sound similar, but they serve different roles in logrotate, especially in how they control rotation based on size in the context of the rotation schedule. Let me clarify further:Key Difference:
maxsize: Ensures that a log file never exceeds a certain size when the scheduled rotation time (e.g., daily, weekly) occurs.minsize: Ensures that a log file is rotated only if it is at least a certain size when the scheduled rotation time occurs.More Detailed Explanation:
maxsize:Think of
maxsizeas a hard upper limit. If the log file grows larger than this value before the next scheduled rotation, nothing happens. But at the time of the scheduled rotation, if the log file is larger thanmaxsize, it will immediately rotate, even if the file hasn’t yet reached its time-based rotation period.Use case: You want to ensure a log file doesn’t exceed a specific size (e.g., you have limited disk space and don't want a log to grow indefinitely, so even if it's set to rotate daily or weekly, you don't want it to ever exceed the specified size).
Example:
weeklyschedule). If, at that point, the file is larger than 100MB, it will be rotated immediately. However, if the file is under 100MB, logrotate will simply follow the normal weekly rotation.minsize:Think of
minsizeas a threshold to prevent premature rotation. It ensures the log file is large enough to warrant rotation. If the log file is smaller thanminsizeat the time of the scheduled rotation, it won’t rotate at all, even if the scheduled rotation (daily, weekly, etc.) has arrived.Use case: You don’t want to rotate small log files that haven’t grown enough to be worth rotating yet. For example, you may not want to create too many small rotated logs.
Example:
weeklyschedule). If the log file is less than 50MB, it will not be rotated, even if it’s the end of the week. But if it's larger than 50MB, it will be rotated according to the schedule.Simplified Scenarios:
maxsize:maxsize, rotate it no matter what.minsize:minsize, don’t rotate it yet, even though it’s time.Real-Life Example to Illustrate:
Suppose you're managing logs with the following settings:
Day 1 (Log size: 30MB):
minsize.Day 2 (Log size: 60MB):
minsize(50MB).Day 3 (Log size: 105MB):
maxsize(100MB), even though it hasn’t reached a scheduled rotation.Conclusion:
maxsize: Forces a log to be rotated when it grows too large, even if it’s not yet time to rotate based on the schedule.minsize: Prevents a log from being rotated if it's too small, even if the scheduled rotation time has arrived.