Tomcat Log Rotation, Compression, Encryption (GDPR Compliance) and Copy to AWS S3

Tomcat Log Rotation

In production environment the logs of applications are important, we need to store them for compliance reasons and make sure that the log files dont fill up the disk space. Since the EU GDPR Privacy law has been passed, the log files need to be encrypted.

In Linux we have a beautiful log management utility logrotate, which is run regularly to rotate the logs files of apt, dpkg, cups-daemon, rsyslog, ufw etc. configuration of these logs are found in /etc/logrotate.d

I am running Tomcat 9 and CATALINA_HOME=/opt/tomcat. You can install Tomcat 9 from here. Tomcat rotates the logs by itself in a default setup. which is configured in /opt/tomcat/conf/ file. we need explicitly configure tomcat to not to rotate the log files like catalina.out itself, since we will be rotating and compressing them using system logrotate utility.

Add this lines to /opt/tomcat/conf/

I have added one line to each log entry org.apache.juli.AsyncFileHandler.rotatable = false to stop rotation of logs by tomcat, Once this is done tomcat will not rotate the logs by itself.

Logrotate and Compression

create a new file at /etc/logrotate.d/tomcat

compress – compress the log files compresscmd – command used for Compression, gzip compressoptions – options for compression command, Gzip Compression level 1-9 compressext – extention of compressed file

its just going to do gzip -9 filename , which compresses the file.

dateext dateformat -%Y-%m-%d-%s these lines add date extention to the rotated log file in the format catalina.out-2018-09-21-1537501441

nomail tells not mail the log files

copytruncate – copies the log file to new file and truncates the log file to zero bytes.

daily – rotates the log file daily

rotate 10 – keep the 10 past rotated logs

notifempty – do not rotate the log if it is empty

missingok – if the file is missing its ok

create 0644 tomcat tomcat – create the log file with these permissions, ignored if copy truncate is used.

postrotate – command to run after the log rotation.

Here we are running the a custom Bash command to encrypt and move the log files to AWS S3

Encryption and Copying to AWS S3

Create a Bash Shell Script vim /usr/share/encrypt

Give it execute permissions

chmod +x /usr/share/encrypt

This script will encrypt the file with .gz which are compressed files and accept the two arguments location of gz files and Encryption key

encrypt /opt/tomcat/log /data/key

Key is needed to encrypt and decrypt the file

cat /data/key

Encrypt command will get list of files in given location and if the file has .gz extention the it will encrypt it with gpg (GNU Privacy Guard), move all the encrypted files which has .gpg extention to aws s3 bucket and once uploaded it will delete the encrypted file from that location. For copying the encrypted logs to S3 make sure that the ec2 instance has write to S3 IAM Access Role assigned to it.

For Decryption of files

gpg --batch --passphrase-file /data/mykey -d catalina.out-2018-09-21-1537501441.gz.gpg > catalina.out-2018-09-21-1537501441.gz