Skip to content

Cheatsheet

Logrotate Cheatsheet

CommandDescription
sudo logrotate -d /etc/logrotate.confValidate config without making changes
sudo logrotate -d /etc/logrotate.d/config-filenameValidate a single policy file without making changes
sudo logrotate -v /etc/logrotate.confEnable verbose output
sudo logrotate -f /etc/logrotate.confForce every log to rotate immediately
sudo logrotate -f /etc/logrotate.d/config-filenameForce only 1 policy
sudo systemctl status logrotate.timerCheck if logrotate is running on a timer

Policy Options Cheatsheet

You can configure new logrotate policies by creating a file in /etc/logrotate.d as root. Each policy begins with the path to the log file, and has a set of policies in {braces}. These options control the actions logrotate takes when it runs its schedule.

Some commonly used options:

DirectiveExampleDescription
dailydailyRotate logs every day.
weeklyweeklyRotate logs every week.
monthlymonthlyRotate logs every month.
yearlyyearlyRotate logs every year.
hourlyhourlyRotate every hour (if logrotate runs hourly).
minutes Nminutes 30Rotate every 30 minutes (supported in newer versions).
sizesize 10MRotate when the log reaches 10 MB. Supports k, M, and G (e.g. 500k, 10M, 2G).
minsizeminsize 5MRotate on the scheduled interval only if the log is at least 5 MB.
maxsizemaxsize 100MRotate immediately if the log exceeds 100 MB, regardless of schedule.
rotaterotate 7Keep the last 7 rotated logs.
maxagemaxage 30Delete rotated logs older than 30 days.
minageminage 7Do not rotate logs newer than 7 days.
compresscompressCompress rotated logs (gzip by default).
nocompressnocompressDisable compression.
compresscmdcompresscmd /usr/bin/xzUse a different compression program.
uncompresscmduncompresscmd /usr/bin/unxzProgram used to decompress logs.
compressextcompressext .xzExtension for compressed logs.
compressoptionscompressoptions -9Pass options to the compression program.
delaycompressdelaycompressCompress starting with the second rotation.
copycopyCopy the log without modifying the original.
copytruncatecopytruncateCopy the log, then truncate the original in place.
renamecopyrenamecopyRename, copy back, and remove the renamed file after rotation.
nocopytruncatenocopytruncateDisable copy-and-truncate behavior.
createcreate 0644 alice aliceCreate a new log file with the specified permissions and owner.
nocreatenocreateDo not create a new log after rotation.
olddirolddir /var/log/archiveStore rotated logs in another directory.
noolddirnoolddirKeep rotated logs beside the original log.
missingokmissingokIgnore missing log files.
nomissingoknomissingokTreat a missing log as an error.
notifemptynotifemptyDo not rotate empty log files.
ifemptyifemptyRotate logs even if they are empty.
dateextdateextUse date-based filenames (e.g. app.log-20260627).
nodateextnodateextUse numeric suffixes (.1, .2, etc.).
dateformatdateformat -%Y%m%dCustomize the date suffix format.
dateyesterdaydateyesterdayUse yesterday’s date in rotated filenames.
datehouragodatehouragoUse the previous hour in date-based filenames.
extensionextension .logPreserve the .log extension when rotating.
addextensionaddextension .bakAppend an extra extension to rotated logs.
startstart 5Start numbering rotated logs at .5.
mailmail admin@example.comEmail rotated logs.
nomailnomailDisable emailing logs.
mailfirstmailfirstMail the newly rotated log.
maillastmaillastMail the oldest log before it is deleted.
sharedscriptssharedscriptsRun prerotate/postrotate only once for all logs in the block.
nosharedscriptsnosharedscriptsRun scripts once per log file.
prerotateprerotate ... endscriptRun commands before rotation.
firstactionfirstaction ... endscriptRun commands once before any logs are rotated.
postrotatepostrotate ... endscriptRun commands after rotation (e.g. reload a service).
lastactionlastaction ... endscriptRun commands once after all rotations complete.
preremovepreremove ... endscriptRun commands before deleting an old log.
susu alice aliceRotate logs as the specified user and group.
tabooexttabooext + .rpmnew .bakIgnore files with these extensions.
taboopattaboopat + *.disabledIgnore files matching these patterns.
includeinclude /etc/logrotate.dInclude additional configuration files.
ignoreduplicatesignoreduplicatesIgnore duplicate log file definitions.
shredshredSecurely overwrite logs before deletion.
shredcyclesshredcycles 3Overwrite logs three times before deleting them.
allowhardlinkallowhardlinkAllow rotation of logs with multiple hard links.
noallowhardlinknoallowhardlinkRefuse to rotate logs with multiple hard links.

Example policy files

General purpose config

This is a good generic policy for most types of log files. The rules for this policy are:

  • Rotates logs at 50MB
  • Rotates logs weekly
  • Keeps 3 months of rotated logs
  • Compresses rotated logs
    • Waits 1 rotation before compressing the most recently compressed log
  • Skips missing target files and empty logs
  • Creates/initializes log file when it runs and sets ownership
/var/log/myapp.log {
    size 50M
    weekly
    maxage 90

    rotate 12

    compress
    delaycompress

    missingok
    notifempty

    #################################
    # Choose 1 of the options below #
    #################################
    
    ## Create log file & assign permissions if it doesn't exist
    create 0644 username groupname
}

Log in user’s $HOME

Rotate a file in a user alice’s home directory when it reaches 10MB or every month, whichever comes first:

/home/alice/.logs/some-logfile.log {
    size 10M
    monthly
    maxage 30

    rotate 4

    compress
    delaycompress

    missingok
    notifempty

    copytruncate
}

Daily rotate a busy app’s logs

Rotate logs for a busy app daily, but only if there’s at least 50MB of data in the log:

/var/log/myapp.log {
    daily
    minsize 50M

    rotate 14

    compress
    delaycompress

    missingok
    notifempty

    create 0640 myapp myapp
}

Rotate webserver logs when they reach 500MB

/var/log/nginx/access.log {
    maxsize 500M

    rotate 30

    compress

    create 0640 www-data adm

    postrotate
        systemctl reload nginx
    endscript
}

Create log archives

Archive logs weekly, keeping 3 months of weekly logs with date-based filenames. Produces log files like:

  • archive.log
  • archive.log-2026-06-20.gz
  • archive.log-2026-06-13.gz
/var/log/archive.log {
    weekly

    rotate 12

    dateext
    dateformat -%Y-%m-%d

    compress

    create 0644 root root
}

Move old logs to another directory on rotate

/var/log/myapp.log {
    weekly

    rotate 8

    olddir /var/log/archive

    compress

    create 0644 myapp myapp
}

Apply policy to any .log file in /var/log

/var/log/myapp/*.log {
    daily

    rotate 7

    compress

    sharedscripts

    postrotate
        systemctl reload myapp
    endscript
}

Keep 1 year of monthly logs

/var/log/audit.log {
    monthly

    rotate 12

    compress

    create 0600 root root
}

Delete old logs after 90 days

/var/log/events.log {
    weekly

    rotate 100

    maxage 90

    compress
}

Rotate logs by time, regardless of size

/var/log/cron.log {
    daily

    rotate 30

    compress

    missingok
    notifempty

    create 0644 root root
}

Rotate a large log at 2GB and archive with xz compression

/var/log/debug.log {
    size 2G

    rotate 10

    compress
    compresscmd /usr/bin/xz
    uncompresscmd /usr/bin/unxz
    compressext .xz
    compressoptions -9

    create 0644 root root
}

Perform an action after rotating

/var/log/mydaemon.log {
    weekly

    rotate 8

    compress

    create 0640 mydaemon mydaemon

    postrotate
        kill -HUP $(cat /run/mydaemon.pid)
    endscript
}
Last updated on