Understanding logrotate on CentOS - part 1

It's no fun when log files grow out of control. In this two-part series, learn how to use logrotate to keep those logs in check.


What is logrotate?

It may surprise you to learn that logrotate is a program used to rotate logs. It's true! The system usually runs logrotate once a day, and when it runs it checks rules that can be customized on a per-directory or per-log basis.

"Log rotation" refers to the practice of archiving an application's current log, starting a fresh log, and deleting older logs. And while we're explaining things, a "log" is a file where an application stores information that might be useful to an administrator or developer - what it's been doing, what errors it's run into, that sort of thing. So logs are good, you just usually don't want to keep a ton of them around. That's where logrotate comes in.

The importance of log rotation

Logs are wonderful things when you want to track usage or troubleshoot an application. Unfortunately the more information that gets logged, the more disk space the log uses. Over time it can really add up.

A log left unrotated can grow to a pretty unwieldy size. Running out of disk space because of a giant log is a problem of course, but a huge log file can also slow down the process of resizing or backing up your virtual server. Another practical consideration is that it's hard to look for a particular event if you have a million log entries to skim through. So on the whole it's a good idea to keep log files down to a manageable size, and to prune them when they get too old to be of much use.

Fortunately logrotate makes log rotation easy.

How it works

The system runs logrotate on a schedule, usually daily. In fact, you'll find the script that runs logrotate daily at:

/etc/cron.daily/logrotate

If you want logrotate to run more often (for hourly log rotation, for example) you'll need to look into using cron to run logrotate through a script in /etc/cron.hourly.

When logrotate runs it reads its configuration files to determine where to find the log files it needs to rotate, and to check on details like how often the files should be rotated and how many archived logs to keep.

logrotate.conf

The main logrotate configuration file is located at:

/etc/logrotate.conf

If you look inside that file you'll see the default parameters logrotate uses when it rotates logs. The file is nicely commented, so skim it to see how things are set up. We'll talk about several of the specific commands in that file shortly.

Note that one line reads:

include /etc/logrotate.d

That's where we'll find most of the application-specific configuration files.

logrotate.d

Take a look inside the directory where you'll store application-specific log settings:

ls /etc/logrotate.d

Depending on how much you've installed on your server there may be no files in this directory, or there may be several. In general, applications that are installed through CentOS's package manager (yum) will also create a config file in /etc/logrotate.d.

Most likely you will at least see a config file for syslog, which logrotate will read when it goes to rotate the system logs. If you look inside you'll see an entry for various system logs along with some commands similar to what you saw in logrotate.conf.

Inside an application file

As an example, let's take a look at the contents of a logrotate config file that might be put in place when you install apache:

/var/log/httpd/*log {
    missingok
    notifempty
    sharedscripts
    postrotate
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
    endscript
}

We'll look at what most of the specific directives in this file mean in a bit, but the short version is that when logrotate runs it will check for any files in /var/log/httpd that end in "log" and rotate them, so long as they aren't empty. If it checks the httpd directory and doesn't find any logfiles it won't throw an error. Then it will run the command in the "postrotate/endscript" block (in this case, a command that will tell apache to restart), but only after it's processed all the specified logs.

What you don't see in that file are some settings you saw back in logrotate.conf. This is because the commands in logrotate.conf act as defaults for log rotation. You can specify different settings for any application where you want to override the defaults. For example, if you run a busy web server, you may want to include a "daily" command in apache's config block so apache's logs will rotate daily instead of the default weekly rotation.

That might be more clear if we talk about what some of the more commonly-used commands actually do in a logrotate config file. So let's do that next.

Configuration commands

You can get a full list of commands used in logrotate configuration files by checking the man page:

man logrotate

We'll go over more commonly-used commands here.

Remember, the config files for applications in /etc/logrotate.d inherit their defaults from the main /etc/logrotate.conf file.

Log files

A log file and its rotation behavior is defined by listing the log file (or files) followed by curly brackets. Most application configuration files will contain just one of these blocks, but it's possible to put more than one in a file, or to add log file blocks to the main logrotate.conf file.

You can list more than one log file for a block either by using a wildcard in the name or by separating log files in the list with spaces. For example, to specify all files in the directory /var/foo that end in ".log", as well as the file "/var/bar/log.txt", you would set up the block like so:

/var/foo/*.log /var/bar/log.txt {
        blah blah blah
        blah blah blah redux
}

Just not with as many blahs.

Rotate count

The "rotate" command determines how many archived logs will be kept around before logrotate starts deleting the older ones. For example:

rotate 4

That command tells logrotate to keep 4 archived logs at a time. If there are already four archived logs when the log is rotated again, the oldest one (the one with ".4" at the end, usually) will be deleted to make room for the new archive.

Rotation interval

You can specify a command that will tell logrotate how often to rotate a particular log. The possible commands include:

daily
weekly
monthly
yearly

If a rotation interval is not specified the log will be rotated whenever logrotate runs (unless another condition like "size" has been set).

If you want to use a time interval other than the keywords listed here you'll have to get clever with cron and a separate config file. For example, if you wanted to rotate a particular log file hourly, you could create a file in "/etc/cron.hourly" (you may need to create that directory too) that would contain a line like:

/usr/sbin/logrotate /etc/logrotate.hourly.conf

Then put the configuration for that hourly run of logrotate (the log file location, whether or not to compress old files, and so on) into "/etc/logrotate.hourly.conf".

Size

You can specify a file size that logrotate will check when determining whether or not to perform a rotation by using the "size" command. The format of the command tells logrotate what units you're using to specify the size:

size 100k
size 100M
size 100G

The first example would rotate the log if it gets larger than 100 kilobytes, the second if it's larger than 100 megabytes, and the third if it's over 100 gigabytes. I don't recommend using a limit of 100G, mind you, the example just got a little out of hand there.

The size command takes priority over a rotation interval. When a log rotates because it hit its size limit the time interval resets for that log file. For example, if a log set to rotate "weekly" is rotated because it hit its max size after four days, logrotate will wait another week after that before rotating the log based on the time interval that has passed. As a result, if you use an interval other than "daily" and specify a maximum size for the log file, the log rotation won't be guaranteed to happen on the same day every week.

Compression

If you want archived logfiles to be compressed (in gzip format) you can include the following command, usually in /etc/logrotate.conf:

compress

This is normally a good idea, since log files are usually all text, and text compresses very well. You might, however, have some archived logs you don't want compressed, but still want compression to be on by default. In those cases you can include the following command in an application-specific config:

nocompress

One more command of note in regard to compression is:

delaycompress

This command can be useful if you want the archived logs to be compressed, but not right away. With "delaycompress" active an archived log won't be compressed until the next time the log is rotated. This can be important when you have a program that might still write to its old logfile for a time after a fresh one is rotated in. Note that "delaycompress" only works if you also have "compress" in your config.

An example of a good time to use delaycompress would be when logrotate is told to restart apache with the "graceful" or "reload" directive. Since old apache processes would not be killed until their connections are finished, they could potentially try to log more items to the old file for some time after the restart. Delaying the compression ensures that you won't lose those extra log entries when the logs are rotated.

Postrotate

The "postrotate" script is run by logrotate each time it rotates a log specified in a config block. You'll usually want to use this to restart an application after the log rotation so the app can switch to a new log.

postrotate
    /usr/sbin/apachectl restart > /dev/null
endscript

That "> /dev/null" bit at the end tells logrotate to pipe the command's output to, well, nowhere. Otherwise the output of that command will be sent off to the console or the log or email or whatever, and in this case, you don't really care about the output if everything restarted okay.

The "postrotate" command tells logrotate that the script to run will start on the next line, and the "endscript" command says that the script is done.

Sharedscripts

Normally logrotate will run the "postrotate" script every time it rotates a log. This is true for multiple logs using the same config block. So for example, a web server config block that refers to both the access log and the error log will, if it rotates both, run the "postrotate" script twice (once for each file rotated). So if both files are rotated, the web server will be restarted twice.

To keep logrotate from running that script for every log, you can include the command:

sharedscripts

That tells logrotate to wait until it's checked all the logs for that config block before running the postrotate script. If one or both of the logs get rotated, the postrotate script still only gets run once. If none of the logs get rotated, the postrotate script won't run at all.

Summary

You've seen an overview of what logrotate does and what kind of configuration options are available to you. You should be all set to go poking around in the existing configs and adapt them to your needs. But let's not stop there! In the next article we'll look at putting an example config together (to rotate the logs for custom virtual hosts), and also cover some handy troubleshooting approaches.

  • -- Jered

Article Comments:

TBG commented Mon Feb 27 11:41:32 UTC 2012:

Now my server have keep logged to .90 T_T Thanks for this guide, help me a lot. ^^

Ravi Hasija commented Tue Jul 30 16:28:33 UTC 2013:

Great informative article. Thank you!!!

One question: say there are 5 different config files in /etc/logrotate.d. And I add one more. When would logrotate know that I added a new config file and start using it?

articles of confederation commented Fri Aug 01 23:29:09 UTC 2014:

Moisturizing for men is just as important as the oils in men's skin can be lost more easily than those in women. Vitamin A can be found in a number of healthy foods, including carrots, egg yolks, peas, apricots, kale, spinach, pumpkin, squash, and oranges. And because certain vitamins and minerals react with others, and with medicines, it is important to discuss your choices with a doctor, nutritionist, or other healthcare professional to create a program tailored to your personal needs.

cadouri de lux commented Tue Aug 05 11:11:54 UTC 2014:

Climb up the ladders of success with promotional gifts having your company logo from Ideasbynet. Your boyfriend will feel extremely excited and relaxed if you pamper him with a massage after a hard-working day. So if his or her birthday is just round the corner, and you are hunting for a special gift, here are a few unique birthday gifts ideas that are sure to delight the birthday boy or girl.

Refugio commented Wed Aug 06 02:49:04 UTC 2014:

One other gift basket variation would be a "sexy" gift basket loaded with eatable lotions, a bottle of champagne and naughty games or perhaps toys. Your boyfriend will feel extremely excited and relaxed if you pamper him with a massage after a hard-working day. A susceptible gift can give you your desired aspirations or even more.

electronic cigarette ego commented Sun Aug 10 18:40:05 UTC 2014:

Obviously there are no guarantees of getting it right the first time but the more you know about a brand the more likely you are to get it right the first time. For each of the top ten brands, the site offers complete information, including coupons and promotions wherever offered to their visitors.

Users usually can adapt to the pros and cons of each type and take the necessary care needed to prevent frying their electronic cigarette batteries.

www.youtube.com commented Thu Aug 14 00:31:24 UTC 2014:

This article has been flagged as spam, if you think this is an error please contact us. They may be needed if a shower pipe breaks and starts to spray everywhere. "Qualified plumbing and heating professionals provide a high quality service and have a bigger part to play in helping to make their homes more energy efficient by reviewing existing installations and advising on new technologies.

toy drone iran commented Sat Aug 16 10:03:29 UTC 2014:

I don't know whether it's just me or if everyone else encountering issues with your blog.

It appears as if some of the text on your posts are running off the screen. Can someone else please comment and let me know if this is happening to them as well? This may be a issue with my internet browser because I've had this happen before.

Appreciate it

http://www.thehindu.com/todays-paper/tp-features/tp-fridayreview/style-of-stringing/article2303380.e commented Wed Aug 20 17:16:03 UTC 2014:

Great blog here! Also your site loads up fast! What web host are you using? Can I get your affiliate link to your host? I wish my web site loaded up as fast as yours lol

trace an email address commented Sat Aug 23 03:50:04 UTC 2014:

For most up-to-date information you have to pay a visit web and on internet I found this site as a finest website for most recent updates.

husa telefoane commented Mon Aug 25 01:22:06 UTC 2014:

Unquestionably believe that which you stated. Your favorite reason seemed to be on the internet the simplest thing to be aware of. I say to you, I certainly get annoyed while people consider worries that they just do not know about. You managed to hit the nail upon the top as well as defined out the whole thing without having side effect , people can take a signal. Will probably be back to get more. Thanks

promotii calculatoare commented Mon Aug 25 05:48:44 UTC 2014:

Hello! Do you use Twitter? I'd like to follow you if that would be okay. I'm undoubtedly enjoying your blog and look forward to new posts.

Camille commented Thu Aug 28 04:33:05 UTC 2014:

Great post. I was checking continuously this blog and I am inspired! Very useful information particularly the ultimate phase : ) I maintain such info a lot. I used to be seeking this certain information for a very lengthy time. Thanks and good luck.

LGBTQ families commented Fri Aug 29 04:52:12 UTC 2014:

I'd like to find out more? I'd care to find out some additional information.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)