Credit: deovolenti Log rotation, a normal thing on Linux systems, keeps any particular log file from becoming too large, yet ensures that sufficient details on system activities are still available for proper system monitoring and troubleshooting. The oldest in a group of log files is removed, remaining log files are bumped down a notch and a newer file takes its place as the current log file. This process is conveniently automated and the details can be adjusted as needed. Manual rotation of log files is possible through the use of the logrotate command. This post provides details on how to manually rotate log files and what to expect. The examples described in this post work on Ubuntu and related Linux systems. Other systems might use different log file and configuration file names, but the process itself should be very similar. Why rotate a log file Under normal circumstances, there is no need to manually rotate log files. Your Linux system should already be set up to rotate some logs daily (or less often) and others depending on their size. If you need to rotate a log file to free up space or separate a current log from ongoing activity, it’s fairly easy to do but will depend on your file-rotation specifications. A little background A number of log files are set up for rotation as soon as a Linux system is installed. In addition, certain applications add their own log files and rotation specs when they are installed on the system. The configuration files for log-file rotations can be found in the /etc/logrotate.d directory. Details on how this process works are available on an earlier post. In the log-rotation process, the current log generally acquires a name like log.1, the old log.1 becomes log.2 and so on while the oldest of the log files, say log.7, is removed from the system. Of course, the names and number of versions retained depend on the logs being rotated and the rotation specifications for those files in the /etc/logrotate.d directory. For some log files, only a few “generations” are retained while, for others, you might see seven or even more. After the usual log file rotation, your syslog files might look like the following. (NOTE: The “was syslog” comments at the end of lines were added to illustrate how the rotation process affected the files.) $ ls -l /var/log/syslog* -rw-r----- 1 syslog adm 128674 Mar 10 08:00 /var/log/syslog You might not be surprised to see that all but the current and most recent log files on this system have been gzipped to save space. The expectation behind this is that most system admins would likely be looking at only the most recent files, so keeping others available but compressed is a smart move. Manual log rotation To manually rotate the syslog files, you would use the logrotate command like this: $ sudo logrotate -f /etc/logrotate.d/rsyslog Notice that this logrotate command uses -f (force the rotation) option. The rotation configuration details are pulled from the specified file in the /etc/logrotate.d/rsyslog directory. This command would then follow the typical process – remove syslog.7.gz, move syslog.6.gz to syslog.7.gz, move syslog.5.gz to syslog.6.gz, move syslog.4.gz to syslog.5.gz, move syslog.3.gz to syslog.4.gz, and move syslog.2.gz to syslog.1.gz, but it would not necessarily create the new syslog file. You could do that manually with commands like these to set up the file and ensure proper file ownership and permissions: $ sudo touch /var/log/syslog $ sudo chown syslog:adm /var/log/syslog $ sudo chmod 640 /var/log/syslog Alternately, you could add this line to your /etc/logrotate.d/rsyslog file to do the work for you: create 0640 syslog adm Insert as shown below: /var/log/syslog { rotate 7 daily missingok notifempty create 0640 syslog adm Here is an example of manual log rotation of the wtmp log files that record user logins. Note that only two wtmp files are retained on this system due to the "rotate 2" specification in /etc/logrotate.d/wtmp. Before: $ ls -l wtmp* -rw-r----- 1 root utmp 1152 Mar 12 11:49 wtmp -rw-r----- 1 root utmp 768 Mar 11 17:04 wtmp.1 Command: $ sudo logrotate -f /etc/logrotate.d/wtmp After: $ ls -l /var/log/wtmp* -rw-r----- 1 root utmp 0 Mar 12 11:52 /var/log/wtmp -rw-r----- 1 root utmp 1152 Mar 12 11:49 /var/log/wtmp.1 -rw-r----- 1 root adm 99726 Feb 21 07:46 /var/log/wtmp.report Notice that the most recent rotations for each log are captured in logrotate's status file – whether the rotations are done manually or are automated: $ grep wtmp /var/lib/logrotate/status "/var/log/wtmp" 2020-3-12-11:52:57 Related content how-to How to examine files on Linux Linux provides very useful options for viewing file attributes, such as owners and permissions, as well as file content. By Sandra Henry Stocker Oct 24, 2024 6 mins Linux how-to 8 easy ways to reuse commands on Linux Typing the same command again and again can become tiresome. Here are a number of ways you can make repeating commands – or repeating commands but with some changes – a lot easier than you might expect. By Sandra Henry-Stocker Oct 15, 2024 5 mins Linux news SUSE Edge upgrade targets Kubernetes and Linux at the edge SUSE Edge 3.1 includes a new stack validation framework and an image builder tool that are aimed at improving the scalability and manageability of complex Kubernetes and Linux edge-computing deployments. By Sean Michael Kerner Oct 15, 2024 6 mins Edge Computing Linux Network Management Software how-to Lesser-known xargs command is a versatile time saver Boost your Linux command line options and simplify your work with xargs, a handy tool for a number of data manipulation tasks. By Sandra Henry Stocker Oct 11, 2024 6 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe