Unix - Logrotate vs Journalctl Rotation
1. Overview
logrotate
-
Manages text-based log files
-
Used for logs in
/var/log/ -
Common with syslog / rsyslog
journalctl Rotation
-
Managed by systemd journal
-
Handles binary logs
-
Logs stored in journal directories
2. How Rotation Works
Logrotate
-
Rotates logs by:
-
Time (daily, weekly)
-
Size (e.g., 100 MB)
-
-
Renames old logs
-
Creates new log files
-
Compresses and deletes old logs
Journalctl
-
Automatically rotates logs based on:
-
Disk usage limits
-
Time limits
-
-
Deletes old journal entries internally
-
No manual renaming of files
3. Configuration Files
| Tool | Configuration Location |
|---|---|
| logrotate | /etc/logrotate.conf, /etc/logrotate.d/ |
| journalctl | /etc/systemd/journald.conf |
4. Storage Format
| Feature | logrotate | journalctl |
|---|---|---|
| Log format | Text | Binary |
| File readability | Direct (cat) |
Needs journalctl |
| Compression | gzip | Internal |
5. Rotation Control Options
Logrotate Options
daily
rotate 7
size 100M
compress
Journalctl Options
SystemMaxUse=500M
SystemKeepFree=100M
MaxFileSec=1month
6. Persistence
| Aspect | logrotate | journalctl |
|---|---|---|
| Persistent logs | Yes | Optional |
| Default behavior | Always persistent | Often volatile |
| Storage location | /var/log/ |
/var/log/journal |
7. Manual Control
Logrotate
logrotate -f /etc/logrotate.conf
Journalctl
journalctl --vacuum-size=200M
journalctl --vacuum-time=2weeks
8. Performance & Reliability
| Feature | logrotate | journalctl |
|---|---|---|
| Boot-time logs | Limited | Full |
| Crash-safe | No | Yes |
| High-volume logs | Moderate | Excellent |
9. Security & Auditing
| Feature | logrotate | journalctl |
|---|---|---|
| Tamper resistance | Medium | High |
| Metadata (UID, PID) | Limited | Rich |
| Forensics | Good | Excellent |
10. Typical Use Cases
Use logrotate When:
-
Managing syslog/rsyslog text logs
-
Need readable log files
-
Traditional UNIX environments
Use journalctl When:
-
Using systemd-based systems
-
Need powerful filtering
-
Require crash-safe logging
11. Coexistence (Important)
Modern Linux systems use both:
-
journalctlcollects logs -
Logs forwarded to syslog
-
logrotaterotates text logs
➡️ Provides compatibility + reliability
12. Exam-Ready Comparison Table
| Feature | logrotate | journalctl rotation |
|---|---|---|
| Log type | Text | Binary |
| Rotation trigger | Time/Size | Disk/Time |
| Compression | gzip | Internal |
| Tool control | logrotate | journald |
| Readability | Easy | Tool-based |
| Modern systems | Secondary | Primary |