Best practice for purging log files?

I'm using letsencrypt on Ubuntu/nginx. I have over a hundred letsencrypt.log.nn files in /var/log

I read


but they cover other topics and I'm wondering if there is a simplified best practice to prevent these logs from collecting?


I see what you mean:
-rw-r--r-- 1 root root 4418 Sep 24 2017 letsencrypt.log.509

This might do the trick:
[this will delete all the ones > .99 and compressed files]

rm /var/log/letsencrypt/*.??0
rm /var/log/letsencrypt/*.??1
rm /var/log/letsencrypt/*.??2
rm /var/log/letsencrypt/*.??3
rm /var/log/letsencrypt/*.??4
rm /var/log/letsencrypt/*.??5
rm /var/log/letsencrypt/*.??6
rm /var/log/letsencrypt/*.??7
rm /var/log/letsencrypt/*.??8
rm /var/log/letsencrypt/*.??9
rm /var/log/letsencrypt/*.??9
rm /var/log/letsencrypt/*.gz

On my Debian systems, the logrotate package takes care of deleting these logfiles in reasonable intervals. I believe this should be installed and enabled by default on Debian/Ubuntu systems, and I also found a logrotate script (I presume this was added by the debian certbot package):

cat /etc/logrotate.d/certbot

/var/log/letsencrypt/*.log {
    rotate 12

So how can one limit the number of files logrotate keeps?
[don't say RTFM - LOL]

This is controlled by the rotate option. So the rotate 12 directive as shown above will keep 12 files and delete files older than 12 * interval. The weekly directive then says that files should be rotated weekly (which is the interval). You can also use keywords like daily.

1 Like

I fail to see that action in practice :frowning:
I have:

/var/log/letsencrypt/*.log {
    rotate 12

And it went to:
-rw-r--r-- 1 root root 4418 Sep 24 2017 letsencrypt.log.509
[never deleted a single log]

This doesn't look like files created by logrotate.

The logrotate option says 'compress', which means gzip the files. This causes logrotate to create files ending with .gz. Your example filename doesn't end with .gz, so it looks like someone else has created those files, but not logrotate.

Here's an example how it looks on my system:

/var/log/letsencrypt # ls
letsencrypt.log  letsencrypt.log.1.gz  letsencrypt.log.2.gz  letsencrypt.log.3.gz  letsencrypt.log.4.gz  letsencrypt.log.5.gz  letsencrypt.log.6.gz  letsencrypt.log.7.gz  letsencrypt.log.8.gz  letsencrypt.log.9.gz letsencrypt.log.10.gz  letsencrypt.log.11.gz  letsencrypt.log.12.gz
1 Like

Maybe there are two systems at play...
There were also .gz flles.

1 Like

A lot of the content in these files appears to be DEBUG statements. I know it's a tiny amount of i/o but is there a way to get a non-debug build?
In what scenarios should we need these files?

Asking for help on this Community mainly :wink:

@Nummer378 I don't understand your logrotate. Your configuration says it should keep 12 weeks of logs, but your ls command only shows 12 log files. But certbot usually runs twice a day, so you should have 168 log files in total? Or do you run certbot just once a week?

@Osiris @Nummer378
Maybe showing the dates might better explain things:
ls -l /var/log/letsencrypt

I've got to admit, I haven't run certbot in over a year, so currently it doesn't run at all and I just realized that all logfiles are empty (so logrotate just rotates empty files, a notifempty directive would have been useful here...). Back then I believe I used the timer from the package, so probably twice a day?

-rw-r--r-- 1 root root  0 Okt  3 00:00 letsencrypt.log
-rw-r--r-- 1 root root 20 Jul 25 00:00 letsencrypt.log.10.gz
-rw-r--r-- 1 root root 20 Jul 18 00:00 letsencrypt.log.11.gz
-rw-r--r-- 1 root root 20 Jul 11 00:00 letsencrypt.log.12.gz
-rw-r--r-- 1 root root 20 Sep 26 00:00 letsencrypt.log.1.gz
-rw-r--r-- 1 root root 20 Sep 19 00:00 letsencrypt.log.2.gz
-rw-r--r-- 1 root root 20 Sep 12 00:00 letsencrypt.log.3.gz
-rw-r--r-- 1 root root 20 Sep  5 00:00 letsencrypt.log.4.gz
-rw-r--r-- 1 root root 20 Aug 29 00:00 letsencrypt.log.5.gz
-rw-r--r-- 1 root root 20 Aug 22 00:00 letsencrypt.log.6.gz
-rw-r--r-- 1 root root 20 Aug 15 00:00 letsencrypt.log.7.gz
-rw-r--r-- 1 root root 20 Aug  8 00:00 letsencrypt.log.8.gz
-rw-r--r-- 1 root root 20 Aug  1 00:00 letsencrypt.log.9.gz

So yeah given that the files are really just empty, I should have tested this when certbot was actually outputting something. I thought the logfiles just stopped rotating once I stopped certbot, but apparently that's not the case.

Still I don't have leftover files not created by logrotate, so either they were cleaned up since I last ran certbot, or they were never created.

1 Like

What about using Cerbot --max-log-backups 5 (or whatever number)

You will need to delete the excess now but that limits future build up.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.