Why? Keep log files for as long as required, whilst mitigating the risk of the archive growing to fill the device holding /var/log.
How? Using the preremove directive with logrotate version 3.8.4 and higher. To Paraphrase the logrotate manpage: "The lines between preremove and endscript are executed (using /bin/sh) once just before removal of a log file. The logrotate will pass the name of the file which is soon to be removed."
A log file is removed so that no more than rotate rotated files exist and the preremove script affords the opportunity to archive a copy of the soon to be removed file.
Here's an example configuration script for /var/log/syslog:-
if file --mime-type "$1" | grep -q gzip$; then \
cp -p "$1" /path/to/archive/syslog/; \
reload rsyslog >/dev/null 2>&1 || true
A file is also removed after its content has been compressed and output to a separate file, when the compress directive is present. The preremove script can therefore receive the path to either an uncompressed or a compressed file, when compress is present . Hence, the preremove script in this example tests the mime-type of the file being removed to ensure that only compressed files are archived.
The dateext directive is used to avoid file naming conflicts at the
destination: the default dateformat format_string,
-%Y%m%d, is fine for a
file being rotated no more frequently than once daily.