🐧 How to set up and manage log rotation using Logrotate on Linux

One of the most interesting (and arguably one of the most important) directories on a Linux system is / var / log.

According to the File System Hierarchy Standard, the activity of most services running on a system is recorded to a file within that directory or one of its subdirectories.

These files are known as logs and are the key to learning how the system works (and how it has behaved in the past).

Logs, aka logs, are also the first source of information that administrators and engineers turn to when troubleshooting problems.

If we look at the contents of / var / log in CentOS / RHEL / Fedora and Debian / Ubuntu (for a change), we can see the following log files and subdirectories.

Please note that the result may differ slightly in your case depending on the services running on your system (s) and the time during which they were started.

On RHEL / CentOS and Fedora

# ls /var/log

🐧 How to set up and manage log rotation using Logrotate on Linux

On Debian and Ubuntu, Kali Linux, etc.

# ls /var/log

🐧 How to set up and manage log rotation using Logrotate on Linux

In both cases, we can notice that some of the log names end, as expected, with “log”, while others are either renamed using the date (eg maillog-20160822 on CentOS) or compressed (eg auth.log .2.gz and mysql.log.1.gz on Debian).

This is not the default default behavior based on the chosen distribution, as it can be changed at will via directives in the config files, as we will see in this article.

If the logs were kept forever, they would end up filling the filesystem that contains / var / log.

To prevent this, the system administrator can use the useful logrotate utility to periodically flush the logs.

In short, logrotate renames or shrinks the main log when a condition is met (more on that in a minute) so that the next event is written to an empty file.

In addition, it will delete the “old” log files and keep the most recent ones.

Of course, we have to decide what “old” means and how often we want logrotate to flush the logs for us.

Installing Logrotate on Linux

To install logrotate just use your package manager:

---------- На Debian и Ubuntu ---------- 
# aptitude update && aptitude install logrotate 

---------- На CentOS, RHEL и Fedora ---------- 
# yum update && yum install logrotate

It is worth noting that the configuration file (/etc/logrotate.conf) may indicate that other, more specific settings may be placed in separate .conf files inside /etc/logrotate.d.

This will be the case if and only if the following line exists and is not commented out:

include /etc/logrotate.d

We will stick to this approach as it will help us keep things tidy and will use the Debian box for the following examples.

Configuring Logrotate on Linux

As a very versatile tool, logrotate provides many directives to help us customize when and how the logs will be rotated, and what should happen immediately afterwards.

Let’s insert the following content into /etc/logrotate.d/apache2.conf (note that you will most likely have to create this file) and examine each line.

/var/log/apache2/* {
    weekly
    rotate 3
    size 10M
    compress
    delaycompress
}

The first line indicates that the directives inside the block apply to all logs inside / var / log / apache2:

  • weekly means the tool will try to update the logs on a weekly basis. Other possible values ​​are daily and monthly.
  • rotate 3 indicates to keep only 3 rotations. Thus, the oldest file will be deleted on the fourth subsequent run.
  • size = 10M sets the minimum size for rotation to 10M. In other words, each log will not rotate until it reaches 10MB.
  • compress and delaycompress are used to specify that all but the most recent one being processed should be compressed.

Let’s do a dry run to see what logrotate would do if it were actually executed now.

Use the -d option followed by the config file (you can run logrotate by omitting this option):

# logrotate -d /etc/logrotate.d/apache2.conf

Instead of compressing the logs, we could rename them according to the date they were rewritten.

To do this, we’ll use the dateext directive.

If our date format is different from the default yyyymmdd, we can specify it using dateformat.

Note that we can even prevent rotation if the log is empty using notifempty.

Also, let’s tell logrotate to send the updated log to the system administrator (in this case [email protected]) for his reference (this will require setting up a mail server, which is beyond the scope of this article).

This time, we will use /etc/logrotate.d/squid.conf only for /var/log/squid/access.log:

/var/log/squid/access.log {
    monthly
    create 0644 root root
    rotate 5
    size=1M
    dateext
    dateformat -%d%m%Y
    notifempty
    mail [email protected]
}

Conclusion

On a system that generates many logs, the administration of such files can be greatly simplified using logrotate.

As we explained in this article, it will automatically decompress, compress, delete, and email logs on a periodic basis or when the file reaches a specified size.

Sidebar