Log rotation
In information technology, log rotation is an automated process used in system administration in which log files are compressed, moved (archived), renamed or deleted once they are too old or too large. New incoming log data is directed into a new fresh file at the same location.[1]
The main purpose of log rotation is to prevent log data from consuming excessive disk space, while keeping individual files small enough to be opened and analysed. Servers running large applications, such as LAMP stacks, may log every request, producing large volumes of data over time. Log rotation provides a way to limit the total size of retained logs while still allowing analysis of recent events. Although smaller log files are sometimes said to improve write performance, file size does not in practice affect write speed: in most modern filesystem implementations, the kernel tracks the end-of-file position, so appending data is a constant-time operation regardless of file size.
Rotation triggers
Log rotation can be triggered by several conditions, which may be used individually or in combination:
- Size-based: rotation occurs when a log file reaches a defined maximum size.
- Time-based: rotation occurs on a fixed schedule, such as hourly, daily, weekly or monthly.
- Signal-based: a running process receives a signal instructing it to close and reopen its log file, allowing rotation without interrupting the service.
Methods
In Linux, log rotation is typically performed using the logrotate command.[2][3] It can be configured to email logs to a systems administrator after rotation and to compress archived files. It is commonly run as a cron job, making log rotation fully automatic.
In FreeBSD and macOS, the newsyslog command is used.[4] It supports rotation based on file size, time or interval, can compress archives, and can send a signal to a process to reset its logging.
On Microsoft Windows, event logs are managed through the Windows Event Viewer, which allows administrators to configure a maximum log size and set the behaviour when that size is reached: overwrite old events, archive the log, or stop logging entirely.
Typically, when a new log file is created the previous file is renamed by appending a number (such as ".1") to its name. Each subsequent rotation increments these numbers, so log files "rotate" through a sequence. Files whose number exceeds a configured threshold are deleted or archived to free disk space.
See also
- Log management
- Log file
- System administration
- Cron
References
- ↑ Kent, Karen; Souppaya, Murugiah (September 2006). "Guide to Computer Security Management: Recommendations of the National Institute of Standards and Technology". Gaithersburg, MD: National Institute of Standards and Technology: Technology Administration, U.S. Department of Commerce. p. 3. http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf. "Log rotation is closing a log file and opening a new log file when the first file is considered to be complete. Log rotation is typically performed according to a schedule (e.g., hourly, daily, weekly) or when a log file reaches a certain size."
- ↑ "logrotate (8) - Linux man page". http://linux.die.net/man/8/logrotate.
- ↑ "Log rotation". http://www-uxsup.csx.cam.ac.uk/~jw35/courses/apache/html/x1670.htm.
- ↑ "newsyslog (8) - maintain system log files to manageable sizes". http://www.freebsd.org/cgi/man.cgi?newsyslog%288%29.
 |  |
