Commands
Learn how to set up a Syslog server on RHEL 9 and CentOS 9. Follow this step-by-step guide to collect, store, and manage log data
Discover the best practices for log rotation and management on RHEL 9 using logrotate. Learn how to automate, compress, secure, and retain logs effectively.
Managing system logs is a critical task for Linux administrators. Without proper log rotation, logs can grow indefinitely, consuming disk space and degrading system performance. On RHEL 9, logrotate is the default tool for automating log rotation, compression, and cleanup.
In this guide, we’ll explore best practices for log rotation and log management on RHEL 9, helping you ensure that your system logs are well-organized, secure, and optimized for long-term performance and compliance.
System logs capture vital data including kernel events, authentication attempts, system service outputs, application errors, and more. Poor log management can lead to:
|
|
|
|
Log rotation ensures that logs are archived and/or deleted periodically, preventing issues associated with unchecked log file growth.
logrotate in RHEL 9logrotate is a system utility designed to automate log rotation. It’s highly configurable and supports:
| Feature | Description |
|---|---|
| Automatic Rotation | Rotate logs daily, weekly, monthly, or based on size |
| Compression | Compress old logs (e.g., with gzip) to save space |
| Retention Policies | Keep logs for a certain number of rotations |
| Custom Scripts | Run scripts before or after rotation (e.g., restart services) |
| Email Notifications | Alert administrators when logs are rotated |
Logrotate configurations are typically found in two places:
| Location | Purpose |
|---|---|
/etc/logrotate.conf | Main configuration file |
/etc/logrotate.d/ | Per-application configuration files |
The system-level configuration applies default settings, while application-specific files allow granular control.
🔄 Step 1: View the Default Configuration |
Check the global logrotate configuration:
cat /etc/logrotate.conf
Typical default content:
weekly
rotate 4
create
compress
include /etc/logrotate.d
|
|
|
|
|
🔄 Step 2: Example of a Custom Log Rotation File |
Let’s say you want to manage logs for a custom application that writes to /var/log/myapp.log. Create a new file:
sudo vim /etc/logrotate.d/myapp
Add the following configuration:
/var/log/myapp.log {
daily
rotate 7
compress
missingok
notifempty
create 0640 root root
postrotate
systemctl reload myapp.service > /dev/null 2>&1 || true
endscript
}
| Directive | Meaning |
|---|---|
daily | Rotate the log file every day |
rotate 7 | Keep the last 7 logs |
compress | Gzip old logs |
missingok | Don’t complain if the log file is missing |
notifempty | Don’t rotate empty logs |
create | Create a new log file with specific permissions |
postrotate | Command to run after rotation (e.g., restart or reload app) |
🔄 Step 3: Test Logrotate Configuration |
You can manually test your logrotate config using:
sudo logrotate -d /etc/logrotate.conf
This performs a dry run and shows what would happen during actual rotation.
WARNING: logrotate in debug mode does nothing except printing debug messages! Consider using verbose mode (-v) instead if this is not what you want.
reading config file /etc/logrotate.conf
including /etc/logrotate.d
reading config file bootlog
reading config file btmp
reading config file chrony
reading config file dnf
reading config file firewalld
reading config file haproxy
reading config file httpd
reading config file insights-client
reading config file iscsiuiolog
reading config file kvm_stat
reading config file php-fpm
reading config file psacct
reading config file samba
olddir is now /var/log/samba/old
reading config file sssd
reading config file subscription-manager
reading config file syslog
reading config file wtmp
reading config file zabbix-agent
reading config file zabbix-server
Reading state from file: /var/lib/logrotate/logrotate.status
Allocating hash table for state file, size 64 entries
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Handling 19 logs
rotating pattern: /var/log/boot.log
after 1 days (7 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/boot.log
Now: 2025-08-24 21:12
Last rotated at 2025-08-22 03:50
log does not need rotating (log is empty)
...omitted for brevity...
To force actual rotation:
sudo logrotate -f /etc/logrotate.conf
Here are the most important best practices for managing logs on RHEL 9:
🔄 Rotate Logs Based on Size for High-Volume Applications |
Some applications generate large logs rapidly. Rotate them by size:
/var/log/bigapp.log {
size 100M
rotate 5
compress
missingok
}
This rotates the log when it exceeds 100MB.
🔄 Secure Log Files with Proper Permissions |
Logs may contain sensitive information. Use the create directive to set strict permissions:
create 0600 root root
This ensures only root can read the logs.
🔄 Use Compression to Save Disk Space |
Always enable compression to prevent large file accumulation:
compress
Old log files will be stored as .gz files, reducing their size by up to 90%.
🔄 Monitor Disk Usage |
Use tools like du, df, and ncdu to keep an eye on disk space used by logs:
du -sh /var/log/*
Set up alerts using tools like logwatch, monit, or systemd timers to notify you when space is running low.
🔄 Separate Logs by Application |
Store logs in app-specific directories:
/var/log/myapp/
This allows you to tailor logrotate policies per app and keeps the system organized.
🔄 Use Systemd Journald in Combination (If Needed) |
RHEL 9 uses systemd-journald alongside traditional logs. You can forward journal logs to syslog or manage journal size with:
sudo journalctl --vacuum-size=500M
Or to retain logs for only 7 days:
sudo journalctl --vacuum-time=7d
🔄 Audit and Archive Critical Logs |
For compliance, you might need to retain logs long-term. Use remote log servers (via rsyslog or syslog-ng) and archive using cron or external storage. Create cron jobs to back up logs:
0 2 * * * tar -czf /backup/logs_$(date +\%F).tar.gz /var/log/myapp/
🔄 Automate with Ansible or Scripts |
For managing logrotate across many servers, use Ansible to push consistent policies:
- name: Deploy logrotate config
copy:
src: files/myapp
dest: /etc/logrotate.d/myapp
owner: root
group: root
mode: 0644
If logs aren’t rotating as expected. Check if the cron job or systemd timer is running:
systemctl status logrotate.timer
Check logrotate status logs:
cat /var/lib/logrotate/status
Look for syntax errors in config:
sudo logrotate -d /etc/logrotate.conf
Learn how to set up a Syslog server on RHEL 9 and CentOS 9. Follow this step-by-step guide to collect, store, and manage log data
Discover how to enhance Podman container management with systemd using Quadlets in this comprehensive guide. Learn about the benefits, setup process, and performance improvements, along
Discover 15 essential IT asset management best practices to enhance efficiency, ensure compliance, and maximize technology investments. Learn about centralized systems, automated tracking, lifecycle management,