As we have seen in /etc/systemd/journald.conf the journald logging daemon manages its own log rotation and deletion so we don’t have to worry about it once properly configured. Unfortunately the rsyslogd daemon does not, so if we use it should manage the log files it generates. RHEL7 comes with a tool to archive and delete log files: logrotate. This log management routine is configured with the files in /etc/logrotate.conf and /etc/logrotate.d/.
Let’s look at the main configuration file and its options:
# see “man logrotate” for details
# rotate log files weekly
weekly
.
# keep 4 weeks worth of backlogs
rotate 4
.
# use date as a suffix of the rotated file
dateext
.
# uncomment this if you want your log files compressed
#compress
# create new (empty) log files after rotating old ones
create
.
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
.
# no packages own wtmp and btmp we’ll rotate them here
/var/log/wtmp {
. monthly
. create 0664 root utmp
. minsize 1M
. rotate 1
}
.
/var/log/btmp {
. missingok
. monthly
. create 0600 root utmp
. rotate 1
}
.
# systemspecific logs may be also be configured here.
The settings in /etc/logrotate.conf are the ones applied by default to all entries when they are not overwritten within an entry. For example, we see the weekly option, which would trigger weekly execution of the scriptlets for each log file, but that can be overruled by the monthly, daily or hourly options within the scriptlets.
If we choose the hourly option at any point, we should move the logrotate script from /etc/cron.daily to /etc/cron.hourly. Otherwise the script will only be executed once a day!
The rotate 4 options states that by default log files will be rotated 4 times before being deleted or emailed. We can set it to any integer but if set to 0 no old log files will be kept.
The dateext appends the date (-YYYYMMDD ) to the archived log files and dateformat uses the common notation to format the date.
We can compress archived files with the compress option which uses gzip. If we want to use another compression tool we can do so with compresscmd (e.g. compresscmd /bin/bzip2). And we can use compressext (uses explicit suffix rather than the one set by the compression tool) and compressoptions (options to pass to the compression tool).
The create option creates a blank file after the original has been renamed and we can specify the file permissions and ownership.
The include directive points to /etc/logrotate.d by default but we can add more of these directives to include additional directories.
If some process has an open filehandle on a log file and renaming it would cause problems, then we can use copy or copytruncate options. The former copies the original log file but does not modify it in any way. The latter truncates the original once the copy is completed.
We can also have the log files emailed to one or more addresses with the options mail, mailfirst and maillast.
We can use maxsize to rotate log files when they grow above a certain size even if the rotation interval is shortened. Or we can use minsize to state that a log file will only be rotated at its determined interval when its size is above a certain threshold.
If a log file due to be rotated does not exist an error message is generated. Thus the option nomissingok is used by default. But we can use missingok to continue without generating any error.
Log files are rotated even when they are empty (default noifempty) but that can be changed by using ifempty.
Rotated files are left in the original directory (default noolddir) but can be moved elsewhere with olddir.
We can shred log files at the end of their rotation life with the shred option but the default is noshred.
The lines between prerotate/endscript are executed before the log file is rotated and only if it is rotated. The same happens with postrotate/endscript after the rotation.
The lines firstaction/endscript and lastaction/endscript do the same as the ones above, but instead of being executed once for each log file rotated, they are executed only once if at least one log file is rotated.
The lines preremove/endscript are executed before the deletion of a log file.
Finally, we can execute the rotation, deletion and additional commands logged in as another user with the option su <user> <group>.
Let’s look at the 2 examples that come in logrotate.conf by default to make sense of the explanation above:
# no packages own wtmp and btmp we’ll rotate them here
/var/log/wtmp {
. monthly
. create 0664 root utmp
. minsize 1M
. rotate 1
}
.
/var/log/btmp {
. missingok
. monthly
. create 0600 root utmp
. rotate 1
}
.
/var/log/messages {
. weekly
. create 0600 root root
. minsize 1M
. rotate 1
. postrotate
. systemctl restart rsyslog.service
. endscript
}