原文 : Understanding logrotate utility By Jered Heeschen

Logging is useful when you want to track usage or troubleshoot an application. However, as more and more information is recorded, log files take up more and more disk space. Over time, a log file can become quite large. Not only does a large log file run out of hard disk space, it can slow down the process of resizing or backing up your virtual server. On top of that, it’s hard to find a particular event in a million logs. Therefore, it is best to keep the size of log files manageable and to delete log files when they become too old to be used.

Fortunately, the Logrotate tool makes log rotation easy. Log rotation refers to the practice of archiving the current logs of an application, starting new logs, and deleting old logs. The system typically runs Logrotate once a day, and at runtime checks for rules that can be customized based on each directory or log.

How Logrotate works

The system runs Logrotate as planned, generally every day. In most distributions, the daily operation of logrotate scripts in the/etc/cron. Daily/logrotate.

There are some distributions that are not quite the same. For example, in the Gentoo, logrotate scripts in the/etc/cron. Daily/logrotate. Cron.

According to accounts, if you want to run logrotate more frequently (such as hourly), you need to use cron to run logrotate through the script under /etc/cron.hourly.

When Logrotate runs, it reads its configuration files to determine where the log files need to be rotated, how often the log files need to be rotated, and how many archive logs need to be retained.

logrotate.conf

The main configuration file of logrotate is stored in /etc/logrottate.

This file contains the default parameters that Logrotate uses when rotating logs. This file contains comments, so you can browse to see how it is configured. A few specific commands in this file are described later in this article.

Notice the following line in the file:

include /etc/logrotate.d
Copy the code

This directory contains most application-specific configuration files.

logrotate.d

Use the following command to list the contents of the directory that contains the application-specific log configuration:

ls /etc/logrotate.d
Copy the code

There may be no files or multiple files in this directory, depending on how many things are installed on your server. Generally, an application installed through your package manager will create a configuration file in /etc/logrott.d.

Typically, this directory contains a configuration file for the Syslog service, which is read when Logrotate rotates the system logs. This file contains entries for various system logs, as well as commands similar to those contained in logrott.conf.

Note: In Ubuntu OS versions prior to Karmic Koala (9.10), there was no entry for the Syslog service. Prior to this release, system logs were rotated by savelog commands running from the /etc/cron.daily.sysklogd script.

Go to the application’s configuration file

As an example, consider the logrotate configuration file that you might place when you install Apache on a Fedora system:

/var/log/httpd/*log {
    missingok
    notifempty
    sharedscripts
    postrotate
    /sbin/service httpd reload > /dev/null 2>/dev/null || true
    endscript
  }
Copy the code

When Logrotate runs, it checks all log-ended, non-empty files under /var/log/httpd and rotates them. If it does not find any log files in the HTTPD directory, it does not raise an exception. It then executes the command in the PostRotate/endScript block (in this case, a command to tell Apache to restart), but only after it has processed all of the specified logs.

This sample file does not contain some of the configurations in the logrott.conf file. The commands in logrottate. Conf act as the default configuration for log rotation. When you want to override the default configuration, you can specify a different one for any application. For example, when you have a busy Web service, you might want to include the Daily command in the Apache configuration block so that Apache logs rotate by day instead of the default weekly rotation.

The next section covers some of the more common commands that are actually executed in the Logrotate configuration file.

Configuration commands

You can see the full list of commands used by the Logrotate configuration file in the man manual:

man logrotate
Copy the code

This section describes the more common commands.

Remember that the application configuration file in /etc/logrottate. D inherits the default configuration from the /etc/logrottate.

Log files

Define the log file and its rotation behavior by listing one (or more) log files and then listing a set of commands enclosed in braces. Most application configuration files contain only one of these blocks, but you can place multiple blocks in the file, or you can place log file blocks in the logrott.conf file.

You can list multiple log files in a block by using wildcards in the names, or by separating the log files with Spaces. For example, to specify all.log files in /var/foo and /var/bar/log.txt, you can set this block as follows:

/var/foo/*.log /var/bar/log.txt {
        rotate 14
        daily
        compress
        delaycompress
        sharedscripts
        postrotate
                /usr/sbin/apachectl graceful > /dev/null
        Endscript
}
Copy the code

Rotate count

The rotate command determines how many archived logs are returned before Logrotate starts deleting older logs. Such as:

rotate 4
Copy the code

This command tells Logrotate to keep four archive logs at a time. When the logs are rotated again, if there are already four archive logs, the oldest is deleted to make room for the new archive.

Rotation interval

You can specify a command that tells Logrotate how often to rotate a particular log. Reasonable commands include:

daily
weekly
monthly
yearly
Copy the code

If no rotation interval is specified, the logs will be rotated every time Logrotate runs (unless other commands such as size are set).

If you want to use an interval other than the one defined, you need to create a separate profile using CRon. For example, if you want to rotate specific log files hourly, you can create a file (and you may also need to create a directory) under /etc/cron.hourly with the following line:

/usr/sbin/logrotate /etc/logrotate.hourly.conf
Copy the code

Then, will need to run every hour logrotate configuration (log file location, whether to compress the old files, etc.) in the/etc/logrotate. Hourly. Conf.

Size

You can use the size command to specify the file size for logrotate to check when determining whether to perform rotation. The format of the command tells logrotate what units you use to specify the size:

size 100k
size 100M
size 100G
Copy the code

The first example rotates the log when it is greater than 100KB, the second example is greater than 100MB, and the third example is greater than 100GB. I don’t recommend using the 100G limit, mind you, this example is getting a little out of hand.

If both size and rotation interval are set, the size command has a higher priority and replaces rotation interval.

Compression

If you want to compress archived log files (using gzip format), you can include the following command, which is usually found in /etc/logrottate.

compress
Copy the code

Compression is usually a good idea because log files are usually all text, and text compresses well. However, if you have archive logs that you do not want compressed, but you want compression enabled by default, you can include the following commands in your application-specific configuration:

nocompress
Copy the code

Another command to note about compression is:

delaycompress
Copy the code

This command is useful if you want to compress an archive but want to postpone the compression. When delayCompress is enabled, archive logs will be compressed in the next log rotation. This can be important when you have a program that may still write to its old log files for a period of time after rotating new log files. Note that delayCompress only works if you have compress configured.

A good example of using DelayCompress is when Logrotate is told to restart Apache with either the “graceful” or “reload” directives. Because the old Apache processes do not end until the connection is complete, they may try to record more items into the old file for some time after the restart. Delayed compression ensures that these additional log entries are not lost when the log is rotated.

Postrotate

Logrotate executes the PostRotate script each time the logs specified in the configuration block are rotated. Typically, you want to use this script to restart the application after the log rotation so that the application can switch to the new log.

postrotate
    /usr/sbin/apachectl restart > /dev/null
endscript
Copy the code

> /dev/null tells logrotate to discard the output of the command. In this case, you don’t need to see the output of a successful application restart.

Sharedscripts

Typically Logrotate executes the PostRotate script after each log rotation. The same is true for multiple logs that use the same configuration block. For example, a Web services configuration block that references both the access log and the error log will run the PostRotate script twice (once each time the file is rotated) if it rotates both. If both files are rotated, the Web service will be restarted twice.

To prevent Logrotate from running this script for each log, include the following commands:

sharedscripts
Copy the code

This command tells Logrotate to check all logs for the configuration block before running the PostRotate script. If one or both rotations are taken, the PostRotate script is run only once. If there is no log rotation, the post-rotation script does not run.

Where to go next

This article provides an overview of the capabilities of Logrotate and the configuration options available. By now, you should be able to browse the existing configuration and adapt it to your needs. To learn how to create a Sample configuration that rotates logs for a custom virtual host, see Sample Logrotate Configurations and Troubleshooting.