How to use logrotate utility to rotate log files

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 10
  • logrotate

Issue

  • How to rotate old log files using logrotate?
  • How to keep log files for a longer period of time using logrotate?
  • Can we retain or rotate specific system log files?
  • Is rotating or retaining log files possible on a weekly or monthly basis?

Resolution

  • The rotation of log files can be done with the logrotate utility.

  • logrotate is designed to simplify administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large.

  • logrotate is typically run daily by cron (/etc/cron.daily/logrotate)

  • /etc/logrotate.conf is the main logrotate configuration file. Packages typically write their configurations to directory /etc/logrotate.d, which is by default included by /etc/logrotate.conf.

  • Local definitions override global ones, and later definitions override earlier ones.

  • Some important values to keep in mind:

      $ cat /etc/logrotate.conf
  # see "man logrotate" for details
  # rotate log files weekly
  weekly
  
  # keep 4 weeks worth of backlogs
  rotate 4
  
  # create new (empty) log files after rotating old ones
  create
  
  # use date as a suffix of the rotated file
  dateext
  
  # uncomment this if you want your log files compressed
  #compress
  
  # RPM packages drop log rotation information into this directory
  include /etc/logrotate.d
  ...

  • Note that log files will typically not be modified multiple times in one day, as described in the logrotate man page:

      $ man logrotate
  ...
  Normally, logrotate is run as a daily cron job.
  It will not modify a log multiple times in one day unless the criterion for that log is based on the log’s size and logrotate is  being  run  multiple  times each day, or unless the -f or --force option is used.

  • The configurations can be modified as needed

Example - change the log settings for CUPS

  • /etc/logrotate.d/cups is part of the cups package:

      # rpm -qf /etc/logrotate.d/cups 
  cups-1.4.2-52.el6_5.2.x86_64

  • We will add compress, rotate, and size options to the default file, as well as a postrotate action.

      # vi /etc/logrotate.d/cups # edit file
  # cat /etc/logrotate.d/cups 
  /var/log/cups/*_log {
      missingok
      notifempty
      compress # log files will be compressed
      rotate 5 # rotate the logs 5 times, so keep 5 weeks of logs if the global time interval is set to 'weekly' in 'logrotate.conf`
      size 100k # log files will be rotated when they grow larger than 100kB
      sharedscripts
      postrotate
          /etc/init.d/cups condrestart > /dev/null 2>&1 || true
      endscript
  }

Example - add a separate configuration file for /var/log/secure

  • In RHEL 7 and earlier create file/etc/logrotate.d/secure as follows:

      # vi /etc/logrotate.d/secure # create file
  # cat /etc/logrotate.d/secure
  ### configure syslog secure log file separately

  /var/log/secure {
      monthly
      minsize 1M
      rotate 3
      missingok
      dateext
      postrotate 
          /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
      endscript
      ifempty
   }

  • For RHEL 8 and later the same applies and a minor modification is required as there is no syslogd.pid file available, postrotate action is performed using systemctl command:

      postrotate 
      /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
  endscript

  • System log files, including /var/log/secure, are defined in /etc/logrotate.d/syslog. Since we are defining /var/log/secure separately we need to remove it from /etc/logrotate.d/syslog:

      # sed -i '\:/var/log/secure:d' /etc/logrotate.d/syslog

  • The above file modifications will only take effect when the next log rotation takes place

  • Instead of waiting for the next cron job, you can use the following command to test that the modifications work:

      # logrotate -f /etc/logrotate.conf

  • For troubleshooting see How to debug logrotate warnings or errors when logrotate is not running correctly

  • For more information refer to the logrotate manpage:

      # man logrotate
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.