Logrotate Configuration Step By Step Guide RHEL 7

logrotate is designed to ease administration of systems that generate large numbers of log files, to rotate log file based on file size, time and date. It allows rotation that is automatic compression, removal, and mailing of log files. Each log file may be handled hourly, daily, weekly, monthly, or when it grows too large.

Normally, logrotate is run as a cron job that is daily (Under /etc/cron.daily/ directory). It will not modify a log times that are multiple one day unless criteria for that log is based on the log’s size and logrotate is being run times that are multiple day, or unless the -f or –force option is used.

Any number of config files may be given on the command line. Later files that are config override the options given in earlier files, so the order in which the logrotate config files are listed is important. Normally, a config that is single which includes any other config files which are needed should be used.

Logrotate Configuration RHEL 7

  • Based on Log file Size
  • Time based log rotation
  • Compress old log files
  • Clean logs files which are matching log rotation rule
  • Create new files after log rotate

Specially when your dealing with rsyslog server with wide range of devices you have to clear up and store logs properly otherwise disk space may fill up quickly and which may lead to interruption in other services

Rotating Logs Daily

There is a script called logrotate in cron which executes daily, upon execution logs will rotate based on configuration

cat /etc/cron.daily/logrotate
#!/bin/sh

/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

whatever you write on the configuration file /etc/logrotate.conf which will be executed as part of this schedule. If you would like to write your own log rotation you simple write into a file and place into logrotate.d directory

cat /etc/logrotate.conf
#Default log rotation filedaily --Rotate Daily
rotate 4 --Keep 4 logs files and delete fifth one
create --Create new file after log rotation
dateext --Add Date Extension to log file YEAR-MONTH-DAY (YYYYMMDD)
include /etc/logrotate.d --Execute all the files in log rotate directory
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}

Create Custom Logrotate Config

Scenario: I am getting lot of firewall log data to syslog server, would like to rotate log files every hour and sync to remote server and delete

#vi /etc/logrotate.conf

/var/log/firewall/* {
    rotate 3
    daily
    minsize 1M
    dateformat "-%Y%m%d%s"
    postrotate
           /scripts/syslogservice.sh
    endscript
}

First line in configuration file says rotate all the log files which are stored in /etc/log/firewall. Keep 3 log files and delete 4th log file. Minimum log file size meets 1M in size then log file is eligible to rotate. Add custom date format to log after rotation. After complete rotation execute script file.

Hourly Logrotate

Note: In old version of logrotate may not support this hourly, in RHEL 7 Or Centos 7 hourly string is valid.

#vi /etc/customlogrotate.conf

 /tmp/logs/messages {
       rotate 5
       hourly
       postrotate
           /usr/bin/killall -HUP syslogd
       endscript
}

If you use above log rotate config log’s can’t be rotate hourly by default in order to rotate hourly you have to copy /etc/cron.daily/logrotate file to /etc/cron.hourly and modify accordingly to point new config file

Or

add  below command to crontab with schedule every hour

/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/customlogrotate.conf

Logrotate based on size

Rotate the log file when file size reaches specified limit

# cat logrotate.conf
/var/log/logsize/output.log {
        size 100k
        create 755 aravi users
        rotate 5
}
  • size – verifies the file size 100 kb equal to or greater than
  • create – new file with 755 permissions and owner aravi and group users
  • rotate 5 – Keep only 5 logs files and delete 6th one

Daily/Weekly/Monthly Log rotation with compression example

/tmp/logs/output.log {
      monthly  #you can add weekly or daily instead of monthly
      copytruncate
      rotate 4
      compress
}

above config lines will rotate log files every month and keeps 4 log files in log directory. similar way of you replace monthly with weekly or daily keywords which becomes weekly or daily rotation

Logrotate command options

debug and verify the configuration file errors -d option is used to verify logrotate configuration

logrotate -d /etc/logrotate.conf
           -m "Email subject" Emailid@company.com ##To Send email
           -s <state file path> ##This is useful if logrotate is being run as a different user for various sets of  log  files.   The  default  state  file  is  /var/lib/logrotate/logrotate.status.
           -f #forcefully rotate the log file if config condition not-matched also

refer man 8 logrotate for more config options

Related Articles

How to configure rsyslog server to store http logs

big data practice lab building

log rotate

 

Thanks for your wonderful Support and Encouragement