logrotate cheatsheet

Basic usage

Run all
- logrotate -v /etc/logrotate.conf
Test one config
- logrotate --debug /etc/logrotate.d/symfony
Run one config
- logrotate -v /etc/logrotate.d/symfony
Force rotation
- logrotate --force /etc/logrotate.d/symfony

Custom Rotator Configs

/var/log/*watcher.log {
        # Rotate daily
        daily

        # But only when at least 100K filesize
        minsize 100K

        # And do not rotate empty logfiles
        notifempty

        # Keep a high number of versions
        rotate 9999

        # Because we delete files after 1 month (to keep in monthly backups)
        maxage 31

        # Compress
        compress

        # Delay compression until the second rotation cycle
        delaycompress

        # Use date extension instead of numbers, good for hardlink backups
        dateext

        # ISO date format
        dateformat .%Y-%m-%d

        # Other wise logrotate complains: error: skipping "/var/log/XXX.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
        su root root

        # Do not complain about missing logfiles 
         missingok

        # Immediately create a new log file after rotation
        create 640 root adm
}

Important options for some cases:

# Restart service after rotation
        postrotate
                if invoke-rc.d apache2 status > /dev/null 2>&1; then \
                    invoke-rc.d apache2 reload > /dev/null 2>&1; \
                fi;
        endscript

Use date in filenames, better for hardlink backups (?)

vi /etc/logrotate.d/owncloud

/var/log/owncloud.log {
        # do not ignore empty zip files
        minsize 1k
        # Use www-data user
        create 0660 www-data www-data
        # Rotate when size is reached
        size 10M
        # Compress
        compress
        # Delay compression until the second rotation cycle
        delaycompress
        # Use date extension instead of numbers, good for hardlink backups
        dateext
}

With wildcards

vi /etc/logrotate.d/symfony

/home/*/public_html/log/*.log {
        monthly
        rotate 12
        size: 100k
        compress
        delaycompress
        missingok
        notifempty
}

Size options better explained

From https://stackoverflow.com/a/23728801

As mentioned by Zeeshan, the logrotate options size, minsize, maxsize are triggers for rotation.

To better explain it. You can run logrotate as often as you like, but unless a threshold is reached such as the filesize being reached or the appropriate time passed, the logs will not be rotated.

The size options do not ensure that your rotated logs are also of the specified size. To get them to be close to the specified size you need to call the logrotate program sufficiently often. This is critical.

For log files that build up very quickly (e.g. in the hundreds of MB a day), unless you want them to be very large you will need to ensure logrotate is called often! this is critical.

Therefore to stop your disk filling up with multi-gigabyte log files you need to ensure logrotate is called often enough, otherwise the log rotation will not work as well as you want.

on Ubuntu, you can easily switch to hourly rotation by moving the script /etc/cron.daily/logrotate to /etc/cron.hourly/logrotate

Or add

*/5 * * * * /etc/cron.daily/logrotate

To your /etc/crontab file. To run it every 5 minutes.

The size option ignores the daily, weekly, monthly time options. But minsize & maxsize take it into account.

The man page is a little confusing there. Here's my explanation.

minsize rotates only when the file has reached an appropriate size and the set time period has passed. e.g. minsize 50MB + daily If file reaches 50MB before daily time ticked over, it'll keep growing until the next day.

maxsize will rotate when the log reaches a set size or the appropriate time has passed. e.g. maxsize 50MB + daily. If file is 50MB and we're not at the next day yet, the log will be rotated. If the file is only 20MB and we roll over to the next day then the file will be rotated.

size will rotate when the log > size. Regardless of whether hourly/daily/weekly/monthly is specified. So if you have size 100M - it means when your log file is > 100M the log will be rotated if logrotate is run when this condition is true. Once it's rotated, the main log will be 0, and a subsequent run will do nothing.

So in the op's case. Specficially 50MB max I'd use something like the following:

/var/log/logpath/*.log {
    maxsize 50M
    hourly
    missingok
    rotate 8
    compress
    notifempty
    nocreate
}

Which means he'd create 8hrs of logs max. And there would be 8 of them at no more than 50MB each. Since he's saying that he's getting multi gigabytes each day and assuming they build up at a fairly constant rate, and maxsize is used he'll end up with around close to the max reached for each file. So they will be likely close to 50MB each. Given the volume they build, he would need to ensure that logrotate is run often enough to meet the target size.

Since I've put hourly there, we'd need logrotate to be run a minimum of every hour. But since they build up to say 2 gigabytes per day and we want 50MB... assuming a constant rate that's 83MB per hour. So you can imagine if we run logrotate every hour, despite setting maxsize to 50 we'll end up with 83MB log's in that case. So in this instance set the running to every 30 minutes or less should be sufficient.

Ensure logrotate is run every 30 mins.

*/30 * * * * /etc/cron.daily/logrotate

Updated at 02/23/2021 11:27

https://www.ullright.org/ullWiki/show/logrotate-cheatsheet