Credit: deovolenti Log rotation, a normal thing on Linux systems, keeps any particular log file from becoming too large, yet ensures that sufficient details on system activities are still available for proper system monitoring and troubleshooting. The oldest in a group of log files is removed, remaining log files are bumped down a notch and a newer file takes its place as the current log file. This process is conveniently automated and the details can be adjusted as needed. Manual rotation of log files is possible through the use of the logrotate command. This post provides details on how to manually rotate log files and what to expect. The examples described in this post work on Ubuntu and related Linux systems. Other systems might use different log file and configuration file names, but the process itself should be very similar. Why rotate a log file Under normal circumstances, there is no need to manually rotate log files. Your Linux system should already be set up to rotate some logs daily (or less often) and others depending on their size. If you need to rotate a log file to free up space or separate a current log from ongoing activity, it’s fairly easy to do but will depend on your file-rotation specifications. A little background A number of log files are set up for rotation as soon as a Linux system is installed. In addition, certain applications add their own log files and rotation specs when they are installed on the system. The configuration files for log-file rotations can be found in the /etc/logrotate.d directory. Details on how this process works are available on an earlier post. In the log-rotation process, the current log generally acquires a name like log.1, the old log.1 becomes log.2 and so on while the oldest of the log files, say log.7, is removed from the system. Of course, the names and number of versions retained depend on the logs being rotated and the rotation specifications for those files in the /etc/logrotate.d directory. For some log files, only a few “generations” are retained while, for others, you might see seven or even more. After the usual log file rotation, your syslog files might look like the following. (NOTE: The “was syslog” comments at the end of lines were added to illustrate how the rotation process affected the files.) $ ls -l /var/log/syslog* -rw-r----- 1 syslog adm 128674 Mar 10 08:00 /var/log/syslog You might not be surprised to see that all but the current and most recent log files on this system have been gzipped to save space. The expectation behind this is that most system admins would likely be looking at only the most recent files, so keeping others available but compressed is a smart move. Manual log rotation To manually rotate the syslog files, you would use the logrotate command like this: $ sudo logrotate -f /etc/logrotate.d/rsyslog Notice that this logrotate command uses -f (force the rotation) option. The rotation configuration details are pulled from the specified file in the /etc/logrotate.d/rsyslog directory. This command would then follow the typical process – remove syslog.7.gz, move syslog.6.gz to syslog.7.gz, move syslog.5.gz to syslog.6.gz, move syslog.4.gz to syslog.5.gz, move syslog.3.gz to syslog.4.gz, and move syslog.2.gz to syslog.1.gz, but it would not necessarily create the new syslog file. You could do that manually with commands like these to set up the file and ensure proper file ownership and permissions: $ sudo touch /var/log/syslog $ sudo chown syslog:adm /var/log/syslog $ sudo chmod 640 /var/log/syslog Alternately, you could add this line to your /etc/logrotate.d/rsyslog file to do the work for you: create 0640 syslog adm Insert as shown below: /var/log/syslog { rotate 7 daily missingok notifempty create 0640 syslog adm Here is an example of manual log rotation of the wtmp log files that record user logins. Note that only two wtmp files are retained on this system due to the "rotate 2" specification in /etc/logrotate.d/wtmp. Before: $ ls -l wtmp* -rw-r----- 1 root utmp 1152 Mar 12 11:49 wtmp -rw-r----- 1 root utmp 768 Mar 11 17:04 wtmp.1 Command: $ sudo logrotate -f /etc/logrotate.d/wtmp After: $ ls -l /var/log/wtmp* -rw-r----- 1 root utmp 0 Mar 12 11:52 /var/log/wtmp -rw-r----- 1 root utmp 1152 Mar 12 11:49 /var/log/wtmp.1 -rw-r----- 1 root adm 99726 Feb 21 07:46 /var/log/wtmp.report Notice that the most recent rotations for each log are captured in logrotate's status file – whether the rotations are done manually or are automated: $ grep wtmp /var/lib/logrotate/status "/var/log/wtmp" 2020-3-12-11:52:57 Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to The logic of && and || on Linux These AND and OR equivalents can be used in scripts to determine next actions. By Sandra Henry-Stocker May 02, 2024 4 mins Linux how-to Using the apropos command on Linux By Sandra Henry-Stocker Apr 24, 2024 3 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe