Mastering Logrotate: Automate Linux Log Rotation and Retention

Why Logrotate Matters

Log files are crucial for Linux system security, troubleshooting, and performance analysis; when they grow unchecked they degrade write speed and become hard to archive, so automated rotation, compression, and deletion are needed.

Configuration Files

Logrotate is installed by default on most Linux distributions. Its main configuration resides in /etc/logrotate.conf, while additional per‑service files are placed in /etc/logrotate.d/. The directory files are automatically read by the main config, and any missing settings inherit defaults from /etc/logrotate.conf.

Cron‑Based Rotation Mechanism

Logrotate runs daily via the script /etc/cron.daily/logrotate, which is invoked by the system’s cron daemon. The script ends with the command that actually performs the rotation: /usr/sbin/logrotate /etc/logrotate.conf The timing of daily, weekly, and monthly cron jobs is defined in /etc/crontab (e.g., daily tasks at 06:25, weekly at 06:47, monthly at 06:52).

Manual Rotation

If immediate rotation is required, use the -f flag; for a dry‑run, add -d to see debug output.

Key Options and Parameters

compress

– gzip the rotated logs. nocompress – keep them uncompressed. create mode owner group – set permissions for the new log file. missingok – ignore missing log files. notifempty – skip rotation for empty logs. daily, weekly, monthly – set rotation frequency. rotate count – keep a specific number of old logs. dateext – append the current date to rotated filenames. size=SIZE – rotate only when the log reaches the given size (e.g., size=100M). copytruncate – copy the log and truncate the original to avoid breaking processes that keep the file open.

Example: Nginx Log Rotation

/data/log/nginx/*.log /data/log/nginx/*/*.log {</code>
<code>    weekly</code>
<code>    missingok</code>
<code>    rotate 6</code>
<code>    compress</code>
<code>    delaycompress</code>
<code>    notifempty</code>
<code>    create 0644 www-data ymserver</code>
<code>    sharedscripts</code>
<code>    prerotate</code>
<code>        if [ -d /etc/logrotate.d/httpd-prerotate ]; then \</code>
<code>            run-parts /etc/logrotate.d/httpd-prerotate; \</code>
<code>        fi \</code>
<code>    endscript</code>
<code>    postrotate</code>
<code>        [ -s /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid`</code>
<code>    endscript</code>
<code>    su root ymserver</code>
<code>}

Custom Daily Rotation via Crontab

To run a rotation at midnight, add a root crontab entry such as:

0 0 * * * /usr/sbin/logrotate /etc/logrotate.d/web_roteate -fv > /tmp/logro.log 2>&1

This overrides the default weekly schedule by forcing daily execution.

Important Option: copytruncate

Without copytruncate, logrotate renames the current log (e.g., log → log.1) and creates a new file; processes like Nginx that keep the old file descriptor continue writing to log.1, which is undesirable. Two solutions exist:

Use a postrotate script to send SIGHUP (or kill -USR1) to the service so it reopens the new log file.

Enable copytruncate so the original file is copied to log.1 and then truncated to zero length, allowing the process to keep writing to the same file descriptor. Note that a brief time gap may cause loss of some log entries, and nocopytruncate can be used to avoid truncation.