[HOWTO] Using wildcards with logrotate

I often deploy services of different types and natures, and one thing that they all have in common is that they log their activity. Now logging is essential, however one of the downsides with logging is that busy systems can easily accumulate considerable space. This is especially important if you deploy services on small virtualized instances where disk space might be precious.

Sadly quite a few services does not deploy any built in mechanisms to rotate their logs, but here comes logrotate to the rescue. With logrotate it is very easy to set up log rotation, and even when logs might be scattered around a bit.

This latter scenario is one I stumble upon ever time I set up a Linux server hosting a wide range of virtual hosts. When I deploy servers like these I tend to use the following directory structure:

/var/www/vhosts/<vhost>/logs
/var/www/vhosts/<vhost>/htdocs

The logs folder holds the logs for the virtual hosts, while the htdocs folder contains the actual web site files. Now to set up logrotate to rotate these logs, you just deploy the following into the file /etc/logrotate.d/apache2-vhosts or a name that makes sense for your service.

/var/www/vhosts/*/logs/*.log {
         daily
         missingok
         rotate 14
         compress
         delaycompress
         notifempty
         create 640 www-data adm
         sharedscripts
         postrotate
                 if invoke-rc.d apache2 status > /dev/null 2>&1; then \
                     invoke-rc.d apache2 reload > /dev/null 2>&1; \
                 fi;
         endscript
         prerotate
                 if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
                         run-parts /etc/logrotate.d/httpd-prerotate; \
                 fi; \
         endscript
 }

Here we see that we use a wildcard * for the folder name for the <vhost> and a wildcard pattern *.log for the actual log files. Also take notice of the following line:

create 640 www-data adm

This tells logrotate to set the permissions with the flags 640, setting read + write for the owner www-data, read for group adm and no access to everyone. Setting this line is important if your service runs as a specific user, and if other applications access the log files as well as ensuring that not everyone can access the logs.

Some services might require certain tasks to be performed prior and after the logs are rotated, and this is done by the logrotate hooks prerotate and postrotate. Adjust this to your needs. Good luck rotating your files.