logrotate is a tool for automatically rotating server logs. It can be configured to keep them indefinitely, for a certain period, compress them after rotation, delete, shred, email them somewhere, etc. I find it incredibly useful to ensure I know what logs are kept, for how long, and that they're securely deleted.


On a typical Debian installation, the default configs along with application-specific files are stored in /etc/logrotate.d. Read man logrotate for detailed information about what's what but here's my general template.

/path/to/log/location/*file.extension {
    rotate 7
    maxage 7
    shredcycles 32

It will rotate logs every day and keep 7 copies before shredding them. In essence, this is the same as keeping logs for a week before discarding them.

shredcycles 32 tells logrotate to overwrite the file 32 times with different types of data before the final write with 0s. When files are "deleted", what actually happens is the space where that file was is simply marked as empty so other files can be written on top of it. This allows for data recovery. 32 writes over the same block range is the limit at which any known recovery program can have any measure of success. If the data has been overwritten 32 times, it is gone. The 33rd time is to hide the fact that the file ever existed in the first place. NOTE: this is 100% useless with SSDs due to how files are written to the storage device. If your server has an HDD, I highly recommend using shred with 32 cycles. Otherwise, don't bother and save some CPU cycles instead.