Back to problems

problem hub

Read-only first

Logrotate not running

Debug logrotate config and timer state before forcing rotation or truncating logs.

Safest first command

logrotate -d /etc/logrotate.conf

Before you run this

Expected output: Debug output showing which configs and log files logrotate would inspect and whether rotation is needed.

When not to use it: Do not force rotation or truncate logs until you know why rotation was skipped and whether the service needs a reopen signal.

Expected output example

reading config file /etc/logrotate.conf
considering log /var/log/app.log
  log does not need rotating

How to read the result

Debug mode does not rotate. It explains decision logic, missing files, permission problems, and whether a log is too new or below size thresholds.

What to check next

Debug says log does not need rotating

Means: Policy thresholds may not be met.

Next step: Check size, age, and config stanza.

Debug Logrotate Without Rotating

Timer inactive or failed

Means: Scheduled rotation may not be running.

Next step: Check timer state and recent logs.

Check logrotate Timer Status

Journal shows permission or script errors

Means: A postrotate script or ownership problem may block rotation.

Next step: Read recent logrotate service logs.

Read Recent Logrotate Journal

Logrotate decision tree

Use debug mode first, then timer status and journal logs. Only force rotation after confirming policy and service reopen behavior.

  1. logrotate -d /etc/logrotate.conf
  2. systemctl status logrotate.timer --no-pager
  3. journalctl -u logrotate --since '7 days ago' --no-pager

Bad fixes to avoid

Do not truncate active logs blindly. Do not force rotation before reading debug output. Do not delete logs when the actual failure is a postrotate script.

Common causes

  • Timer disabled
  • Config threshold not met
  • Permission denied
  • Postrotate script failed
  • Wrong log path

What not to change yet

  • Do not truncate active logs first.
  • Do not force rotation before debug review.
  • Do not ignore the app reopen signal.

Stop and escalate if

  • The next step could interrupt users, remove data, or lock out access.
  • The output includes secrets, customer data, or private infrastructure details.
  • You cannot explain the blast radius of the repair command.

supporting commands

Command path

Guides and drills