Jump to content

Log rotation

From Wikipedia, the free encyclopedia

In information technology, log rotation is an automated process used in system administration in which log files are compressed, moved (archived), renamed or deleted once they are too old or too big (there can be other metrics that can apply here). New incoming log data is directed into a new fresh file (at the same location).[1]

The main purpose of log rotation is to restrict the volume of the log data to avoid overflowing the record store, while keeping the log files small enough so viewers can still open them.

Servers which run large applications, such as LAMP stacks, often log every request: in the face of bulky logs, log rotation provides a way to limit the total size of the logs retained while still allowing analysis of recent events.

Even though some arguments in favor of log rotation imply that maintaining smaller files increases writing performance, the size of a file doesn’t affect its writing performance. The reason is that in most modern filesystem implementations, the kernel knows the size of a file, and appending data can happen after performing a seek syscall to position the pointer at the end of the file which is a constant time operation.

Methods of archival[edit]

In Linux log rotation is typically performed using the logrotate command.[2][3] The command can be used to email logs to a systems administrator after log rotation. Dated logs may also be compressed.

In FreeBSD and macOS the newsyslog command is used.[4] It has the ability to trigger rotation based on file size, time or interval (or any combination thereof). It can compress the archives and send a signal to a process to reset logging.

The command is often run as a cron job, which has the effect of fully automatic log rotation.

Typically, a new logfile is created periodically, and the old logfile is renamed by appending a "1" to the name. Each time a new log file is started, the numbers in the file names of old logfiles are increased by one, so the files "rotate" through the numbers (thus the name "log rotation"). Old logfiles whose number exceeds a threshold can then be deleted or archived off-line to save space.


  1. ^ Kent, Karen; Souppaya, Murugiah (September 2006). "Guide to Computer Security Management: Recommendations of the National Institute of Standards and Technology" (PDF). Special Publication 800-92. Gaithersburg, MD: National Institute of Standards and Technology: Technology Administration, U.S. Department of Commerce. p. 3. Retrieved 2014-10-02. Log rotation is closing a log file and opening a new log file when the first file is considered to be complete. Log rotation is typically performed according to a schedule (e.g., hourly, daily, weekly) or when a log file reaches a certain size.
  2. ^ "logrotate (8) - Linux man page". Retrieved February 10, 2013.
  3. ^ "Log rotation". Retrieved February 10, 2013.
  4. ^ "newsyslog (8) - maintain system log files to manageable sizes".