How to Configure Log Rotation Based on Both Time Interval and Maximum File Size in Linux


1 views

Many system administrators face this dilemma: you want logs to rotate weekly for organizational purposes, but also need immediate rotation when critical logs grow too large. The standard size and time interval options in logrotate seem mutually exclusive at first glance.

The crucial distinction between options:

# Size-only rotation (ignores time intervals)
size 5M

# Minimum size with time consideration (won't rotate if size not reached)
minsize 5M
daily/weekly/monthly

# The solution we want (rotates if either condition met)
maxsize 5M
weekly

Here's a complete rsyslog rotation configuration that solves the problem:

/var/log/messages {
    weekly
    maxsize 5M
    rotate 4
    compress
    delaycompress
    missingok
    notifempty
    create 640 root adm
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

If rotations aren't occurring as expected:

  1. Verify logrotate runs daily: grep logrotate /etc/cron*
  2. Check configuration syntax: logrotate -d /etc/logrotate.conf
  3. Force a test run: logrotate -vf /etc/logrotate.d/rsyslog

For high-volume systems, combine with:

# Prevent frequent small rotations
minsize 1M

# Handle bursts between rotations
maxsize 10M
daily

Remember that maxsize requires logrotate 3.8.0 or later. Check version with logrotate --version.

When configuring log rotation with both time intervals and size thresholds, many sysadmins encounter unexpected behavior. The key distinction lies in the interaction between these parameters:

# Incorrect approach that causes confusion:
/var/log/messages {
    weekly
    size 5M
    rotate 4
    create
}

size acts as an override that makes time-based rotation irrelevant, while minsize/maxsize work in conjunction with time intervals.

Directive Time Consideration Size Consideration Rotation Trigger
size No Yes Size-only
minsize Yes Yes Both conditions (AND)
maxsize Yes Yes Either condition (OR)

For weekly rotation with 5MB overflow protection:

# Correct implementation using maxsize
/var/log/messages {
    weekly
    maxsize 5M
    rotate 4
    missingok
    compress
    delaycompress
    notifempty
    create 0640 root adm
}

To verify your configuration works as intended:

  1. Create a test log directory: mkdir -p /var/log/test
  2. Generate test logs: logger -t test "Sample log entry"
  3. Force rotation check: logrotate -vf /etc/logrotate.d/test

When debugging rotation issues:

# Check last rotation time:
grep "rotating log" /var/lib/logrotate/status

# Dry run with debug output:
logrotate -d /etc/logrotate.conf

For high-volume logging systems, consider these optimizations:

  • Set copytruncate for applications that can't handle SIGHUP
  • Use delaycompress to avoid compression during peak hours
  • Combine with dateext for chronological sorting