Log Management with logrotate
If you are an administrator for a company or just looking after some personal servers, you will soon realise that it is important to properly manage your log files. Log files give you important information about the health and security of your system. If you have not planned for log management then chances are you are logging everything in a single file which can grow to be hundreds of megabytes and make it really hard for you to pin point important information or the system is automatically deleting your logs older than a certain period of time.
I have experienced similar situations and that is when I implemented logrotate. It allows you to manage your log files and rotate these files daily, weekly, monthly or to a schedule you prefer. You can keep older files by defining a higher rotation number or let the system overwrite older files by defining a lower value for rotation. To install logrotate on a CentOS system type the following command in a terminal.
yum -y install logrotate
Once installed inspect the configuration file /etc/logrotate.conf. Below is the default configuration file for logrotate version 3.7.8.
# see "man logrotate" for details
# rotate log files weekly
# keep 4 weeks worth of backlogs
# create new (empty) log files after rotating old ones
# use date as a suffix of the rotated file
# uncomment this if you want your log files compressed
# RPM packages drop log rotation information into this directory
# no packages own wtmp and btmp -- we'll rotate them here
create 0664 root utmp
create 0600 root utmp
# system-specific logs may be also be configured here.
As you can see the default configuration rotates log files weekly and keeps four log files after which it will overwrite existing log files. You can also compress your log files and rotate the files based on file size instead of a time frame.
It is a good idea not to change the default configuration instead create new configurations inside the directory /etc/logrotate.d/. As you can see above the main configuration file has a directive to include all configuration inside /etc/logrotate.d/.
Let’s create a configuration for a mail server and rotate the /var/log/maillog file on daily basis. I just prefer separating files according to a day rather than weeks. How often should you rotate depends on how quickly the file grows. So if you have high traffic on a server then doing it on daily basis makes more sense.
I have created the following configuration which you can modify easily to meet your requirements.
#rotate the file /var/log/maillog
#if the log file doesn't exist don't issue any error and move to next file
#rotate daily means create one file for one day
#create a new file with these permissions
create 0600 root root
#don't delete older files and keep unto 36500 files which is roughly 10 years
I am just using a few settings here but the logrotate offers much more. I will be implementing more settings in future but for now I will just keep it simple. See the comments I have added above for information on what each directive is doing. Remember to include all settings enclosed inside curly braces.
You can also email or compress log files or run a pre or post rotate command which I will try to include in a future post. Have fun and don’t forget to check the manual page for more information.