Logrotate

From Leo's Notes
Last edited on 8 October 2023, at 04:16.

Logrotate is a utility that rotates logs. Log rotation simply means to rename an existing log file to something else, thereby keeping the log file sizes tenable. Logrotate makes it easy to define log rotation rules, such as how many old logs to keep and for how long, the size a log should be before it's rotated, any post-rotation commands it needs to run, and more.

Introduction

Installation

Logrotate is typically found in your distro's repos as 'logrotate'. On Fedora / Red Hat / Rocky Linux systems, just install the package.

# yum -y install logrotate

On NixOS, enable Logrotate by setting the services.logrotate.enable = true setting. See the example further down on this page.

Cronjob

Logrotate is triggered daily via a cronjob and as a result, there is no logrotate daemon. Typically, the cronjob is installed in /etc/cron.daily/ but could also be as a @daily job in /etc/crontab on some systems.

By default, installing Logrotate will also include some standard configuration files that will rotate some common system logs in /var/log.

Logrotate is triggered by cronjobs.

/etc/cron.daily/logrotate should have:

/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf

OR you should have a root crontab entry in /var/spool/cron/root similar to:

00 05 * * * /usr/sbin/logrotate -f /etc/logrotate.conf

Configuration

Configuration is done with /etc/logrotate.conf and additional log rotate definitions can be placed in /etc/logrotate.d/. For example, we could put httpd log rotation rules in /etc/logrotate.d/httpd.

Each logrotate configuration file can define global directives, followed by logfiles to rotate. A logfile definition can specify one or more log files and also supports globbing. Each logfile definition can have its own set of local directives that override the global directives (if any exists) defined within its configuration file.

** Global directives **
/path/to/logs/log1.log {
 ** Local Directives **
}
/path/to/logs/log1.log /path/to/logs/*.log {
 ** Local Directives **
}

It should also have at minimum the following directives:

Description Directives
When to rotate. By time or by size. daily, weekly, monthly

OR size based:

size 10M

How many rotated logs to keep. Eg. keep 30 logs. Anything past this will be deleted.

Set this to 0 to delete all rotated logs.

rotate 30

You may also optionally add the following directives depending on your needs:

Description Directives
Whether to create a new empty log after rotation is done.

Optionally, you may specify the new file's mode and ownership.

create, create mode owner group, nocreate
Use date as the suffix for rotated logs using the specified date format.

Creates logs like 'messages-2020-12-26'

dateext

dateformat .%Y-%m-%d

If you are not using date extensions, logrotate will use numbers starting at 0 instead.

Specify the starting number. Eg. 1. The first rotated log would be 'messages.0'.

start 1
Whether to compress the log or not. Uses gzip by default. compress
Delays compression of the logs by one rotation cycle. delaycompress
The extension of rotated log files. Eg. 'messages-2020-12-26.log' or 'messages.0.log'. extension log
Send an email when a log is rotated out of existance. mail user@domain.com
Move rotated logs to a different location. olddir /var/log/rotated
Ignore if file is missing missingok
Don't rotate if the file is empty notifempty
Run a command after the rotation is executed.

The contents are run using /bin/sh. The log files are passed as an argument.

postrotate
  /bin/kill -HUP 
endscript
Run the pre/post-rotate script only once, even if multiple logs were rotated sharedscripts

After defining your new rule, you can test it by running logrotate -v /etc/logrotate.d/your-new-config. If your logs aren't rotating, it's possible you need to tweak the state file in /var/lib/logrotate/logrotate.status for your particular log file in order for the rotate conditions to be fulfilled.

Tasks

Testing logrotate configs

To test a specific log rotate config, run:

# logrotate -v /etc/logrotate.d/your-new-config

That should print out what logrotate will do. The first time you run logrotate, logrotate will update the status file at /var/lib/logrotate/logrotate.status with the last time that the log files were looked at.

If you want to have logrotate rotate the logs for you, you will have to edit this status file and change the timestamp to sometime in the past and re-run the logrotate command again.

Rotating Traefik access logs

After configuring Traefik to log to /var/log/traefik, you may want to use this rule to rotate logs and then send USR1 to the container running Traefik.

Create a configuration file at /etc/logrotate.d/traefik with the following:

/var/log/traefik/access.log {
  daily
  rotate 7

  create 0644 root root
  missingok
  notifempty
  compress
  dateext
  dateformat .%Y-%m-%d

  postrotate
    docker kill --signal="USR1" $(docker ps | grep traefik: | awk '{print $1}')
  endscript
}

This will rotate logs daily and will retain up to 7 days worth of logs. Rotated logs are compressed. Verify the logs by running: logrotate -v /etc/logrotate.d/traefik.

Setup Logrotate for Traefik access logs under NixOS

Here's an example to rotate Traefik.

services.logrotate = {
    enable = true;

    settings = {
      # global options
      header = {
        dateext = true;
        compress = true;
        missingok = true;
        notifempty = true;
      };

      # Traefik logs
      "/var/log/traefik/access.log" = {
        frequency = "weekly";
        rotate = 8;
        postrotate = ''
          /run/current-system/sw/bin/docker kill --signal="USR1" $(/run/current-system/sw/bin/docker ps | /run/current-system/sw/bin/grep traefik: | /run/current-system/sw/bin/awk '{print $1}')
        '';
      };

    };
  };

See also