Logrotate
Chapter 37: Logrotate and Log Management
Section titled “Chapter 37: Logrotate and Log Management”Overview
Section titled “Overview”Logrotate is essential for managing log files in Linux systems, preventing disk space exhaustion while maintaining historical logs for debugging and compliance. This chapter covers logrotate configuration, directives, application-specific examples, and best practices for production log management.
37.1 logrotate Basics
Section titled “37.1 logrotate Basics”How logrotate Works
Section titled “How logrotate Works”┌─────────────────────────────────────────────────────────────────────────┐│ LOGROTATE WORKFLOW │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ 1. Trigger (cron, size, time) │ ││ │ 2. Check conditions (size, time, notifempty) │ ││ │ 3. Rename current log (log.1) │ ││ │ 4. Create new empty log file │ ││ │ 5. Signal application to reopen logs (optional) │ ││ │ 6. Compress old logs (optional) │ ││ │ 7. Delete old logs exceeding rotation count │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ Log Rotation States: ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ app.log → app.log.1 → app.log.2.gz → app.log.3.gz │ ││ │ (active) (rotated) (compressed) (oldest) │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘Configuration
Section titled “Configuration”# /etc/logrotate.conf - Global configuration
# Rotate weeklyweekly
# Keep 4 weeks of logsrotate 4
# Create new empty files after rotationcreate
# Use date as suffixdateext
# Compress logs (gzip)compress
# Delay compression (keep .1 uncompressed)delaycompress
# Include per-application configsinclude /etc/logrotate.d
# Don't error if log missingmissingok
# Don't rotate if emptynotifempty
# Rotate even if size exceeds daily/weeklymaxsize 100M
# Default create permissionscreate 0644 root root37.2 logrotate Directives
Section titled “37.2 logrotate Directives”Common Options
Section titled “Common Options”| Directive | Description |
|---|---|
| rotate N | Keep N old log files |
| daily/weekly/monthly | Rotation frequency |
| compress | Compress rotated logs |
| delaycompress | Delay compression of previous file |
| create mode owner group | Create new empty log |
| dateext | Use date suffix instead of number |
| dateformat | Date format for dateext |
| missingok | Don’t error if log missing |
| notifempty | Don’t rotate if empty |
| maxsize N | Rotate when size exceeds N |
| minsize N | Minimum size to rotate |
| size N | Rotate when exactly N |
| postrotate/endscript | Scripts after rotation |
| prerotate/endscript | Scripts before rotation |
| sharedscripts | Run scripts once per rotation |
| copytruncate | Copy and truncate (for apps that don’t close logs) |
Advanced Options
Section titled “Advanced Options”# Size-based rotationmaxsize 100Mminsize 10M
# Date formatdateextdateformat -%Y%m%d-%s
# Compression optionscompresscompresscmd /usr/bin/xzuncompresscmd /usr/bin/unxzcompressext .xzcompressoptions -9
# Script examplespostrotate [ -f /var/run/nginx.pid ] && kill -USR1 $(cat /var/run/nginx.pid)endscript37.3 Application Examples
Section titled “37.3 Application Examples”nginx Logrotate
Section titled “nginx Logrotate”/var/log/nginx/*.log { daily missingok rotate 14 compress delaycompress notifempty create 0640 www-data adm sharedscripts postrotate [ -f /var/run/nginx.pid ] && kill -USR1 $(cat /var/run/nginx.pid) endscript}Apache Logrotate
Section titled “Apache Logrotate”/var/log/apache2/*.log { daily missingok rotate 30 compress delaycompress notifempty create 0640 root adm sharedscripts postrotate /bin/systemctl reload apache2 > /dev/null 2>/dev/null || true endscript}MySQL Logrotate
Section titled “MySQL Logrotate”/var/log/mysql/*.log { daily rotate 7 missingok create 660 mysql mysql compress postrotate test -x /usr/bin/mysqladmin || exit 0 /usr/bin/mysqladmin flush-logs endscript}
# MySQL slow query log/var/log/mysql/slow.log { weekly rotate 12 compress delaycompress missingok create 660 mysql mysql}PostgreSQL Logrotate
Section titled “PostgreSQL Logrotate”/var/log/postgresql/*.log { weekly rotate 10 compress delaycompress missingok create 0600 postgres postgres postrotate su - postgres -c '/usr/lib/postgresql/*/bin/pg_ctl reload -D /var/lib/postgresql/*/main -l /var/log/postgresql/postgresql-*-main.log' > /dev/null 2>&1 || true endscript}Application Logrotate
Section titled “Application Logrotate”/var/log/myapp/*.log { daily rotate 30 compress delaycompress missingok notifempty create 0640 myapp myapp sharedscripts postrotate systemctl restart myapp endscript}37.4 Testing logrotate
Section titled “37.4 Testing logrotate”Debug Mode
Section titled “Debug Mode”# Test configuration without actual rotationlogrotate -d /etc/logrotate.conf
# Verbose debug outputlogrotate -dv /etc/logrotate.conf
# Force rotationlogrotate -f /etc/logrotate.conflogrotate -f /etc/logrotate.d/nginx
# Rotate specific filelogrotate -f /var/log/nginx/access.log
# Check statuscat /var/lib/logrotate/statusManual Testing
Section titled “Manual Testing”# Dry run for specific configlogrotate -d /etc/logrotate.d/nginx
# Test with verboselogrotate -dv /etc/logrotate.d/nginx
# Force rotation and see outputlogrotate -vf /etc/logrotate.d/nginx37.5 Log Management Best Practices
Section titled “37.5 Log Management Best Practices”Disk Space Monitoring
Section titled “Disk Space Monitoring”# Check log directory sizesdu -sh /var/log/*du -sh /var/log/*/ 2>/dev/null
# Find largest filesfind /var/log -type f -exec du -h {} + | sort -rh | head -20
# Alert on disk usagedf -h /var/log
# Monitor with cron0 0 * * * du -sh /var/log/* | sort -rh | head -10 >> /var/log/disk_usage.logSystemd Timer for logrotate
Section titled “Systemd Timer for logrotate”[Unit]Description=Daily logrotate
[Timer]OnCalendar=dailyPersistent=true
[Install]WantedBy=timers.target
# /etc/systemd/system/logrotate.service[Unit]Description=LogrotateAfter=syslog.target
[Service]Type=oneshotExecStart=/usr/sbin/logrotate /etc/logrotate.confStandardOutput=journalStandardError=journalLog Retention Policy
Section titled “Log Retention Policy”# Example retention policy/var/log/syslog { daily rotate 30 compress missingok notifempty}
/var/log/kern.log { weekly rotate 12 compress missingok}
/var/log/debug { weekly rotate 4 compress missingok notifempty}37.6 Interview Questions
Section titled “37.6 Interview Questions”┌─────────────────────────────────────────────────────────────────────────┐│ LOGROTATE INTERVIEW QUESTIONS │├─────────────────────────────────────────────────────────────────────────┤ │Q1: What is logrotate and how does it work? │ │A1: │- Automatically rotates log files based on size/time │- Renames current log, creates new one │- Optionally compresses old logs │- Deletes oldest logs based on rotation count │- Can signal applications to reopen logs │ │─────────────────────────────────────────────────────────────────────────┤ │Q2: What is the difference between compress and delaycompress? │ │A2: │- compress: Compress immediately after rotation │- delaycompress: Don't compress .1 until next rotation (.1 stays plain) │- Useful when app needs time to switch to new log │ │─────────────────────────────────────────────────────────────────────────┤ │Q3: What does copytruncate do and when should you use it? │ │A3: │- Copies log file content and truncates original │- Use when application doesn't support log rotation │- Risk: could lose logs between copy and truncate │- Better: use when app supports log reopening │ │─────────────────────────────────────────────────────────────────────────┤ │Q4: How do you test logrotate configuration? │ │A4: │- logrotate -d /etc/logrotate.conf (debug mode) │- logrotate -f (force rotation) │- Check /var/lib/logrotate/status │ │─────────────────────────────────────────────────────────────────────────┤ │Q5: What is sharedscripts in logrotate? │ │A5: │- Runs postrotate/prerotate script ONCE for all matched logs │- Without it, script runs for EACH matched log │- Use for commands that restart service once │ │─────────────────────────────────────────────────────────────────────────┤ │Q6: How do you handle logs for applications that don't reopen files? │ │A6: │- Use copytruncate option (not ideal) │- Use postrotate to signal application │- Example: kill -USR1 for nginx, systemctl reload for others │- Or use logger to send USR1 signal │ │─────────────────────────────────────────────────────────────────────────┤ │Q7: What happens if you don't rotate logs? │ │A7: │- Log files grow until disk is full │- Can cause application crashes │- Performance degradation │- Cannot debug issues (logs become unreadable) │ │─────────────────────────────────────────────────────────────────────────┤ │Q8: How do you set up logrotate for a custom application? │ │A8: │- Create file in /etc/logrotate.d/ │- Specify log path with wildcards if needed │- Set rotation policy (daily/weekly/monthly, size) │- Configure compression │- Add postrotate for service restart if needed │ │└─────────────────────────────────────────────────────────────────────────┘Quick Reference
Section titled “Quick Reference”# Common logrotate optionsweekly # Rotation frequencyrotate 4 # Keep 4 old filescompress # Compress old logsdelaycompress # Delay compressioncreate 0640 # New log permissionsmissingok # Ignore missing logsnotifempty # Skip empty logsmaxsize 100M # Size trigger
# Testinglogrotate -d config # Debug modelogrotate -f config # Force rotationSummary
Section titled “Summary”- logrotate: Automatic log rotation tool
- Compression: gzip, xz with delaycompress
- Signaling: postrotate to restart apps
- Testing: -d debug, -f force options
Next Chapter
Section titled “Next Chapter”Chapter 38: System Monitoring Tools
Last Updated: February 2026