How do I set logrotate to work for my sites that are in srv/www/* I see some tut here
http://www.debian-administration.org/articles/117 but they talk about basic logs in var/log/*

and seems that i have that setup as there are files like

error.log.1
error.log.2.gz
error.log.3.gz
error.log.4.gz
...


How to make this for sites in srv/www/logs? if possible with some wildcard for all sites?

You can simply edit the first line of /etc/logrotate.d/apache2 to look something like this:

/var/log/apache2/*.log /srv/www/logs/*.log {

This will then match and act on all files matching *.log in /srv/www/logs/ in addition to /var/log/apache2/.

if the logs are in separate directories, you can do something like

/var/log/apache2/*.log /srv/www/*/logs/*.log

that will work with

/srv/www/site1.com/logs
/srv/www/site2.com/logs
etc

Thanx People that helped.

One more question, how does log rotate work. How to tell it to delete logs older than one month?

From man logrotate:

maxage <count>
       Remove rotated logs older than <count> days.  The  age  is  only
       checked if the logfile is to be rotated. The files are mailed to
       the configured address if maillast and mail are configured.

so I added this in /etc/logrotate.d/apache2 and since then I have empty var/log/apache2 directory and in /srv/www/my-site/logs/ the same access.log and error.log, what could be wrong, do I need to restart something other than apache?


/var/log/apache2/*.log /srv/www/*/logs/*.log{
weekly
missingok
rotate 52
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
/etc/init.d/apache2 reload > /dev/null
endscript
}

What does "so I added this in /etc/logrotate.d/apache2" mean? What does the full file look like now? (It helps to use [code] tags when posting configuration files.)

What does "since then I have empty var/log/apache2 directory" mean? Were there existing logs in that directory which were deleted? How old were they?

What does "[I have] in /srv/www/my-site/logs/ the same access.log and error.log" mean? Do these files have the same content?

Logrotate is generally run once per day by cron. Look in /etc/cron.daily/ and see if there is a logrotate script there. If so, then logrotate will be run at the same time other daily jobs are run. It is not a service which runs in the background, so does not need to be restarted.

Sorry for that post.

1. Yes that was my apache2 file for logrotate made according to suggestions above. (full file, will use code next time)
2. Before I used root user, but since reading a post on forum I disabled a login for it and now i forget to type "sudo" everytime I need something "special" so I did "vi var/log/apache2" and it was empty. Now I see if i add SUDO before it there are log files, so this was the mistake I made. (is there a way I could remove a need for sudo writing for user other than root?)
3.By default logs are created from this I guess

<VirtualHost *:80>
     ServerAdmin webmaster@example.com
     ServerName example.com
     ServerAlias www.example.com
     DocumentRoot /srv/www/example.com/public_html/
     ErrorLog /srv/www/example.com/logs/error.log
     CustomLog /srv/www/example.com/logs/access.log combined
</VirtualHost>

And when I added the code for logrotate /srv/www/*/logs/*.log, there are still just those 2 files error.log and access.log, and no new ones that would be logrotate files like they are in var/log/*

OK, I think I understand your question now. Logrotate does not control where applications write their logs. It only rotates files that already exist. So if you have a logrotate configuration that refers to an empty directory, that directory will stay empty.

The Apache config you posted will log activity to /srv/www/example.com/logs/access.log and errors to /srv/www/example.com/logs/error.log. These should be rotated by the apache2 logrotate configuration you posted (although you should make sure there's a space between "/srv/www/*/logs/*.log" and the opening brace). The weekly option means that these logs will be rotated at the beginning of each week. The compress option will compress rotated logs, but delaycompress means that the first rotated log will not be compressed. So after a few weeks, your directory should have files like this:

access.log
access.log.1
access.log.2.gz
access.log.3.gz
error.log
error.log.1
error.log.2.gz
error.log.3.gz

The rotate 52 option will keep 52 old log files around. You can change this by reducing the number or by adding a maxage option as discussed before.

The locations where logs are written is controlled by your Apache configuration. You should look at the main configuration file and all the virtual host configuration files in /etc/apache2/sites-enabled/ to see where they are logging. This command should show you:

grep -RE 'CustomLog|ErrorLog|RewriteLog' /etc/apache2/apache2.conf /etc/apache2/sites-enabled/

Edit: If I need to run several commands as root, I usually do sudo su - to get a root shell. You need to be careful while doing this, and very aware of what you're doing while root. Type exit as soon as you are finished the task and you will revert to a normal user.

Thanx Vance, I did miss that space between "{" maybe that made a problem. Will try it. Thanx on explanation.
Also why is it so "dangerous" to be loggged in as root, mostly when i login to VPS is to make some edits as user with all privileges?

Mainly because root can write to (or delete) any file on the system*. Typos that would be harmless while you are an ordinary user (because you don't have rights to modify important files) can cause great damage if run while root.

Of course, this is yet another argument for having good backups.

*Ignoring things like SELinux and extended attributes.

Lograte now works, but I see that on my site with lots of traffic access.log is 300 mb, how to make this lower? Probably remove .css .jpg and similar from logged in access.log, any chance on helping on that and how to do it?

Why would you want to remove those from access.log? if you do, you can't do accurate statistical tracking of your site to see where your traffic is going.

Try rotating your logs every day, ie

/var/log/apache2/*.log /srv/www/*/logs/*.log {
  daily
  missingok
  rotate 365
  compress
  delaycompress
  notifempty
  create 640 root adm
  sharedscripts
  postrotate
    /etc/init.d/apache2 reload > /dev/null
  endscript
}

I changed weekly to daily, and rotate 52 to rotate 365

Others may froth at the mouth and hurl abuse, but I do all my sysadmin as root, and everything else as an unprivileged normal user.
I use screen (well, byobu now), and leave one window logged in as root for sysadmin, and all other windows are my normal user, which I use to do everything I can in, only switching to the root window when I have to, then switch back when I've finished.

Others will only ever log in as a normal user, and use "sudo command" when they need root. This is definitely more secure, but not necessarily less prone to mistakes, as some will argue. As you get in the habit of sudo blah, it's all muscle memory, after you do it for a few days, you don't even need to think about it. It's just as easy to type sudo rm -rf / as it is to type rm -rf / in a root shell.