logrotate(8) is a userland utility that relocates or outright deletes old log files in order to make space for newer logs. Regular maintenance of this sort of a system’s log files prevents system failures due to negligence or explicitly malicious activity, such as running out of free disk space due to uncontrolled log file growth and other potential issues. Automated log rotation can also be thought of a security hardening measure to ensure no unnecessary user data is retained on a system after the time at which it is used. Shorter data retention policies, in part implemented by aggressively shredding logs, helps maintain operational security and user privacy in a variety of environments.

The default configuration (/etc/logrotate.conf) typically only handles rotation of the /var/log/btmp and /var/log/wtmp files. Many other system services typically ship with their own logrotate configuration files (see ยง Service configurations).

Hardening

Disable current login reporting

# This logrotate(5) configuration helps persist permission changes to
# the /var/run/utmp file, which stores knowledge of current successful
# logins to the system. By removing and re-creating this file with
# its permission bits set to `660`, owned by `root` and associated 
# with the `utmp` group, we ensure no unprivileged users can query
# the system for logged in users via the `who(1)` command or similar.
#
# File: /etc/logrotate.d/utmp
 
/var/run/utmp {
        hourly
        rotate 0
        size 1
        shred
        missingok
        create 660 root utmp
}

Run logrotate hourly instead of daily

Most systems default to invoking logrotate daily, however, logrotate can determine that a log file needs rotation as granularly as one hour rather than one day. If your available resources permit it, consider invoking logrotate at this more frequent interval.

TK-TODO

Service configurations

Each service whose log file(s) you wish to automatically rotate should have a configuration file written to the system’s /etc/logrotate.d directory.

List of services

The following list links directly to its associated configuration.