How to Safely Manage and Rotate Nginx Access Logs Without Service Disruption


2 views

Nginx access logs record all HTTP requests to your server, which is crucial for:

  • Troubleshooting application issues
  • Security auditing
  • Traffic analysis

The default location is typically /var/log/nginx/access.log or /usr/local/nginx/logs/access.log.

While you can delete access logs as root with:

sudo rm /var/log/nginx/access.log

This approach causes several problems:

  • Nginx keeps the file descriptor open, consuming disk space until restart
  • Potential permission issues when recreating
  • Loss of logging during the deletion period

For production systems, implement log rotation:

Method 1: Using logrotate

Create /etc/logrotate.d/nginx:

/var/log/nginx/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 0640 www-data adm
    sharedscripts
    postrotate
        [ -f /var/run/nginx.pid ] && kill -USR1 cat /var/run/nginx.pid
    endscript
}

Method 2: Manual Rotation

For immediate space recovery:

# Rename current log
sudo mv /var/log/nginx/access.log /var/log/nginx/access.log.old

# Recreate log file with proper permissions
sudo touch /var/log/nginx/access.log
sudo chown www-data:adm /var/log/nginx/access.log
sudo chmod 640 /var/log/nginx/access.log

# Signal Nginx to reopen logs
sudo kill -USR1 $(cat /var/run/nginx.pid)

# Optionally compress old log
sudo gzip /var/log/nginx/access.log.old

After recreation, ensure:

  • Ownership matches Nginx user (typically www-data or nginx)
  • Permissions are 640 (rw-r-----)
  • Group is set to adm for system monitoring tools

For exceptionally large logs:

# Truncate without service restart
sudo : > /var/log/nginx/access.log

# Alternative for immediate space recovery
sudo install -o www-data -g adm -m 640 /dev/null /var/log/nginx/access.log
sudo kill -USR1 $(cat /var/run/nginx.pid)

Consider these advanced strategies:

  • Centralized logging with ELK stack
  • Real-time log processing with Fluentd
  • Cloud-based solutions like AWS CloudWatch Logs

Nginx access logs (typically access.log) are non-critical operational files that record all HTTP requests. Unlike error logs, they can be safely deleted or rotated without interrupting service. The key consideration is whether Nginx is actively writing to the file when deletion occurs.

For systems with 100GB+ log files, here's the proper deletion sequence:

# As root or sudo user:
sudo systemctl reload nginx  # Gracefully reload to reopen log files
sudo rm /var/log/nginx/access.log
sudo touch /var/log/nginx/access.log
sudo chown www-data:www-data /var/log/nginx/access.log  # Adjust user:group as per your config

Instead of manual deletion, implement log rotation in /etc/logrotate.d/nginx:

/var/log/nginx/*.log {
    daily
    missingok
    rotate 14
    compress
    delaycompress
    notifempty
    create 0640 www-data adm
    sharedscripts
    postrotate
        if [ -f /var/run/nginx.pid ]; then
            kill -USR1 cat /var/run/nginx.pid
        fi
    endscript
}

New log files inherit permissions from Nginx's user directive in nginx.conf. Typical secure permissions:

-rw-r----- 1 www-data adm 0 Jun 15 12:00 /var/log/nginx/access.log

This restricts access to Nginx user (www-data) and administrators (adm group).

After log operations:

sudo tail -f /var/log/nginx/access.log  # Verify new entries appear
sudo lsof | grep nginx | grep log  # Check file handles
journalctl -u nginx --no-pager -n 20  # Check for errors