How To Configure Log Rotation with Logrotate on Ubuntu 18.04 LTS

One of the most essential task for a system administrator is the ability to manage log files. Log rotation is an automated process in which dated log files are archived. It provides a way to limit the total size of the logs retained. In this tutorial, we are going to learn how to configure log rotation with logrotate on Ubuntu 18.04 LTS.

You may also want to check our previous tutorial on How to Configure Remote Logging with Rsyslog on Ubuntu 18.04.

The logrotate command makes it easy to administer systems that generate large amount of logs. It allows automatic rotation, compression, removal, and mailing of log files. These log files maybe processed on a daily, weekly or monthly basis or whenever they grow beyond specific size.

Installing Logrotate on Ubuntu

Logrotate is installed by default on Ubuntu 18.04. To verify this, check the installed version by running the command below;

# logrotate --version
logrotate 3.11.0

If it is not installed, run the command below to install it.

# apt-get install logrotate -y

Logrotate Configuration files

There are two major configuration files for logrotate;

• /etc/logrotate.conf
  – Defines global options that apply to every log file.
• /etc/logrotate.d/
  – Defines configuration options for specific log files. Packages that are installed on the system and requires log rotation places their log rotation configuration files here.

Before we can dive deeper, let us explore these configuration files;

# less /etc/logrotate.conf

# see "man logrotate" for details
# rotate log files weekly
weekly

# use the syslog group by default, since this is the owning group
# of /var/log/syslog.
su root syslog

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
    missingok
    monthly
    create 0664 root utmp
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0660 root utmp
    rotate 1
}

# system-specific logs may be configured here

Below is a brief description of the directives that can be used on the logrotate configuration files;

• weekly – Rotates log files every week. Simillar directives include;
  • daily
    
  • monthly
  • yearly
• su user group – Rotate log files set under this user and group instead of using default user/group (usually root). user/group specifies the user/group used for rotation.
• rotate count – Log files are rotated count times before being removed or mailed to the address specified in a mail directive. So rotate 4 would keep only four rotated log files. If the value 0 is specified, old log files are removed instead of rotated
• create [mode owner group], create [owner group] – creates the log file immediately after rotation. mode specifies the mode for the log file in octal format e.g 0660, owner specifies the user name who will own the log file, group specifies the group the log file will belong to.
  • nocreate – New log files are not created
• compress – compresses the old log files with gzip by default. Similar directives include;
  • nocompress – Do not compress old log files.
  • compresscmd – Specifies the command to be used for compressing
  • uncompresscmd – Specifies which command to use to uncompress log files e.g gunzip.
  • compressext – Specifies which extension to use on compressed logfiles, if compression is enabled. The default follows that of the configured compression command.
  • compressoptions – Specifies any options to be passed to the compression program
    used.
  • delaycompress – Postpones the compression of log files to the next rotation of log files
• include file_or_directory – Reads the file given as an argument as if it was included inline. If a directory is given for example /etc/logrotate.d, most of the files in that directory are read in alphabetic order before processing of the including file continues.
  
• missingok – If the log file is missing, go on to the next one without issuing an error message. Similar directive is;
  • nomissingok – If a log file does not exist, issue an error
• ifempty – Rotate log file even if it empty. Similar directive is
  • notifempty – Do not rotate the log if it is empty
• mail ADDRESS – Enables mailing of log files that have been rotated as many
  times as is defined by the rotate directive to the specified address. Similar directives include:
  • nomail – Do not mail old log files to any address.
  • mailfirst – Specifies that the just-rotated log files are to be mailed, instead of the aboutto-expire log files.
  • maillast – Specifies that the about-to-expire log files are to be mailed, instead of the justrotated log files. This is the default option when mail is enable
• maxage count – Remove rotated logs older than <count> days.
• size size – Log files are rotated only if they grow bigger than size bytes. If size is followed by k, the size is assumed to be in kilobytes. If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. Simillar directives include;
  • maxsize size – Log files are rotated when they grow bigger than size bytes even before the specified time interval (daily, weekly, monthly, or yearly).
  • minsize size – Log files are rotated when they grow bigger than size bytes but not before the specified time interval (daily, weekly, monthly, or yearly).
• copy – Make a copy of the log file, but don’t change the original at all.Similar directive is;
  • copytruncate – Truncate the original log file to zero size in place after creating a copy, instead of moving the old log file and optionally creating a new one.
  • nocopy – Do not copy the original log file and leave it in place
  • nocopytruncate – Do not truncate the original log file in place after creating a copy

For a comprehensive list of directives, check the man pages for logrotate.

Creating Custom Configuration Files

The /etc/logrotate.d contains custom specific configurations that overrides the default configurations defined in /etc/logrotate.conf. In this section we will be going through examples of various configurations.

Rotate the log file daily

# less /etc/logrotate.d/custom.conf
/var/log/remotelogs/192.168.43.214/auth.log {
        daily
        missingok
        notifempty
        rotate 4
        compress
}

Rotate the log file when they grow more than 1G of size even before the specified time interval of rotation

# less /etc/logrotate.d/custom.conf
/var/log/remotelogs/192.168.43.214/auth.log{
        maxsize 1G
        daily
        missingok
        notifempty
        rotate 4
        compress
}

Remove Rotated files after a specific number of days

# less /etc/logrotate.d/custom.conf
/var/log/remotelogs/192.168.43.214/auth.log{
        size 10G
        maxage 90
        missingok
        notifempty
        rotate 7
        compress
}

Specify compression command for the log file rotation

# less /etc/logrotate.d/custom.conf
/var/log/remotelogs/192.168.43.214/auth.log{
        size 10G
        maxage 90
        missingok
        notifempty
        rotate 7
        compress
        compresscmd /bin/bzip2
        compressext .bz2
}

Run specific commands after rotating log files

# less /etc/logrotate.d/custom.conf
/var/log/remotelogs/192.168.43.214/sshd.log {
        rotate 5
        weekly
        sharedscripts
        postrotate
        /usr/bin/killall -HUP rsyslogd
        endscript
}

The sharedscripts means that the postrotate script will only be run once (after the old logs have been compressed), not once for each log which is rotated.

Append date to the log files after rotation

# less /etc/logrotate.d/custom.conf
/var/log/remotelogs/192.168.43.214/sshd.log{
        size 200k
        missingok
        notifempty
        rotate 7
        compress
        dateext
        dateformat -%Y-%m-%d
}

Mail rotated log files uncompressed after 5 rotations

# less /etc/logrotate.d/custom.conf
/var/log/remotelogs/192.168.43.214/auth.log {
        rotate 5
        mail [email protected]
        size 50k
        daily
        missingok
        notifempty
}

That is all we could cover on this article. For a comprehensive list of logrotate directives, check the man pages for logrotate. Thank you for reading.