Creating logrotate Configs

Introduction

logrotate is the de facto standard on Linux and UNIX systems for automatically rotating, compressing, and pruning log files. A well-crafted logrotate configuration keeps disks from filling up, ensures older logs are archived, and makes debugging easier. In this guide, you’ll learn:

• Where logrotate looks for configs and how it runs
• Global vs. per-service configuration structure
• All key directives (rotate, compress, dateext, notifempty, etc.)
• Practical examples and testing tips

1. logrotate Overview & File Locations

• /etc/logrotate.conf – Main configuration file. Contains global defaults and includes the logrotate.d directory.
• /etc/logrotate.d/ – Directory for per-service or per-application snippets. Each file here applies only to its listed logs.
• Execution – Usually invoked daily via /etc/cron.daily/logrotate or a systemd timer (logrotate.timer).
• State file – /var/lib/logrotate/status tracks when each log was last rotated.

2. Global Configuration ( /etc/logrotate.conf )

Global directives set defaults for all logs, unless overridden in snippets.

# /etc/logrotate.conf
weekly
rotate 4
create
include /etc/logrotate.d

• weekly – Rotate logs once per week. Other intervals: daily, monthly, yearly.
• rotate 4 – Keep four archived logs (older ones are removed).
• create – After rotation, create a new log file with default permissions (owner root, mode 0644).
• include /etc/logrotate.d – Process all files in that directory after global settings.

3. Per-Service Config Snippets

Place files in /etc/logrotate.d/ named after the service (e.g., nginx, mysql). Each snippet lists one or more log file patterns followed by a block of directives:

# /etc/logrotate.d/nginx
/var/log/nginx/*.log {
    daily
    missingok
    rotate 14
    compress
    delaycompress
    notifempty
    sharedscripts
    postrotate
        systemctl reload nginx > /dev/null 2>&1
    endscript
}

• missingok – Don’t complain if the log file is missing.
• compress – Gzip old logs after rotation, producing .gz files.
• delaycompress – Skip compression of the most recent archive, compress on the next rotation. Useful if the service still writes to the old file briefly.
• notifempty – Do not rotate empty files.
• sharedscripts – Run postrotate scripts only once, even if multiple files match.
• postrotate … endscript – Commands to run after rotation (e.g., reload service to reopen logs).

4. Key Directives Explained

• rotate count – Number of rotations to keep. After this, oldest archives are removed.
• compress / nocompress – Enable or disable compression.
• delaycompress – Works only with compress. Delays compression by one cycle.
• dateext – Append date (instead of number) to rotated filenames, e.g. access.log-2023-06-15. Requires dateformat to customize.
• dateformat format – Specify strftime-style format for dateext. Default is -%Y%m%d.
• missingok – Skip errors if file is absent.
• notifempty / ifempty – Skip or force rotation when file is empty.
• copytruncate – Copy the current log to a rotated file and truncate the original in place. Use when you cannot restart the service.
• create [mode owner group] – Create a replacement file with optional permissions and ownership, e.g. create 0640 root adm.
• su user group – Switch to specified user/group before performing rotations. Useful for non-root logs.
• prerotate, postrotate, firstaction, lastaction – Scripts to run at various stages. firstaction and lastaction run only once per run, even without sharedscripts.
• olddir directory – Move rotated logs to a different directory.
• maxage days – Remove rotated logs older than specified days.

5. Practical Examples

a) Rotate MySQL Logs Monthly, Keep 12 Copies

# /etc/logrotate.d/mysql-server
/var/log/mysql/*.log {
    monthly
    rotate 12
    missingok
    compress
    delaycompress
    notifempty
    create 640 mysql adm
    sharedscripts
    postrotate
        systemctl reload mysql
    endscript
}

b) Rotate Apache Logs, Use copytruncate

# /etc/logrotate.d/apache2
/var/log/apache2/*.log {
    daily
    rotate 7
    copytruncate
    compress
    notifempty
    dateext
    dateformat -%Y-%m-%d
    su root adm
}

c) Centralize All /var/log/*.log Weekly

# /etc/logrotate.d/varlogs
/var/log/*.log {
    weekly
    rotate 4
    missingok
    compress
    delaycompress
    sharedscripts
    postrotate
        # no reload needed
    endscript
}

6. Testing and Debugging

• logrotate --debug /etc/logrotate.conf – Show what would happen, without making changes.
• logrotate --verbose /etc/logrotate.conf – Show detailed execution steps.
• logrotate --state /tmp/statefile /etc/logrotate.conf – Test using a custom state file.
• Check /var/lib/logrotate/status to confirm last-rotation timestamps.

7. Best Practices

• Keep per-service configs focused—don’t over-include unrelated paths.
• Use dateext when logs must be archived indefinitely.
• Prefer sharedscripts to avoid multiple reloads.
• Rotate frequently written logs (e.g. daily) and keep fewer archives.
• Secure rotated logs: use create with proper permissions and su for non-root.
• Version-control your /etc/logrotate.d/ directory for auditability.

Conclusion

Mastering logrotate means striking the right balance between retention, performance, and disk usage.
With these directives and examples in your toolbox, you can craft custom rotation policies for any service, keeping logs manageable, secure, and ready for forensic analysis.