diff --git a/docs.json b/docs.json
index dbed42b..7e19017 100644
--- a/docs.json
+++ b/docs.json
@@ -175,6 +175,7 @@
"self-host/advanced/enable-asnblocking",
"self-host/advanced/metrics",
"self-host/advanced/clustering",
+ "self-host/advanced/traefik-log-rotation",
"self-host/telemetry"
]
},
diff --git a/self-host/advanced/traefik-log-rotation.mdx b/self-host/advanced/traefik-log-rotation.mdx
new file mode 100644
index 0000000..7c1c628
--- /dev/null
+++ b/self-host/advanced/traefik-log-rotation.mdx
@@ -0,0 +1,123 @@
+---
+title: "Traefik Access Log Rotation"
+description: "How to manage and rotate Traefik access logs when CrowdSec is installed"
+---
+
+import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
+
+
+
+When CrowdSec is installed, Traefik access logging is enabled automatically so CrowdSec can analyze traffic. This means `config/traefik/logs/access.log` will grow indefinitely without log rotation in place.
+
+
+ The default Pangolin install (without CrowdSec) does not enable access
+ logging, so this only applies if you have CrowdSec installed.
+
+
+## How it works
+
+The CrowdSec installer enables Traefik's `accessLog` block and mounts `./config/traefik/logs/` into the container at `/var/log/traefik/`. CrowdSec reads that log via its `acquis.d/traefik.yaml` acquisition config.
+
+Without rotation, that file grows forever. The fix is `logrotate` with `copytruncate` — it copies the log file and truncates the original in place, so Traefik never needs to be restarted or sent a signal.
+
+## Automatic setup (installer v1.x+)
+
+If you installed CrowdSec using a recent version of the Pangolin installer, logrotate is configured automatically at `/etc/logrotate.d/pangolin-traefik`. You can verify it's there:
+
+```bash
+cat /etc/logrotate.d/pangolin-traefik
+```
+
+You should see something like:
+
+```
+/opt/pangolin/config/traefik/logs/access.log {
+ daily
+ rotate 7
+ compress
+ delaycompress
+ missingok
+ notifempty
+ copytruncate
+}
+```
+
+## Manual setup
+
+If you installed CrowdSec before automatic log rotation was added, set it up manually:
+
+
+
+ Replace `/opt/pangolin` with your actual Pangolin install directory if it differs.
+
+```bash
+sudo tee /etc/logrotate.d/pangolin-traefik > /dev/null <<'EOF'
+/opt/pangolin/config/traefik/logs/access.log {
+ daily
+ rotate 7
+ compress
+ delaycompress
+ missingok
+ notifempty
+ copytruncate
+}
+EOF
+```
+
+
+
+ Do a dry run to confirm logrotate picks it up without errors:
+
+```bash
+sudo logrotate --debug /etc/logrotate.d/pangolin-traefik
+```
+
+No errors means you're good. You can also force a rotation immediately to verify end-to-end:
+
+```bash
+sudo logrotate --force /etc/logrotate.d/pangolin-traefik
+```
+
+
+
+
+## Customizing retention
+
+The defaults (daily rotation, 7 compressed copies) work for most setups. To adjust:
+
+| Option | What it does |
+| --------------- | -------------------------------------------------------------------------------------- |
+| `daily` | Rotate once per day. Use `weekly` or `monthly` if preferred. |
+| `rotate 7` | Keep 7 rotated files before deleting the oldest. |
+| `compress` | Gzip rotated files to save disk space. |
+| `delaycompress` | Skip compressing the most recent rotated file (useful if something still has it open). |
+
+For example, to keep 30 days of compressed weekly logs:
+
+```
+/opt/pangolin/config/traefik/logs/access.log {
+ weekly
+ rotate 30
+ compress
+ delaycompress
+ missingok
+ notifempty
+ copytruncate
+}
+```
+
+## Verifying rotation is working
+
+Check that rotated files are appearing in the logs directory:
+
+```bash
+ls -lh /opt/pangolin/config/traefik/logs/
+```
+
+After the first rotation you should see files like `access.log.1` and `access.log.2.gz` alongside the active `access.log`.
+
+To see when logrotate last ran and whether it succeeded:
+
+```bash
+cat /var/lib/logrotate/status | grep pangolin
+```
diff --git a/self-host/community-guides/crowdsec.mdx b/self-host/community-guides/crowdsec.mdx
index aac1491..ecb1214 100644
--- a/self-host/community-guides/crowdsec.mdx
+++ b/self-host/community-guides/crowdsec.mdx
@@ -18,6 +18,10 @@ CrowdSec is a modern, open-source, collaborative behavior detection engine, inte
Crowdsec can be installed using the Pangolin Installer.
+
+Enabling CrowdSec turns on Traefik access logging so CrowdSec can analyze traffic. This means `config/traefik/logs/access.log` will grow over time. If you want to set up log rotation, see the [Traefik Access Log Rotation](/self-host/advanced/traefik-log-rotation) guide.
+
+
## Configuration
By default, Crowdsec is installed with a basic configuration, which includes the [Crowdsec Bouncer Traefik plugin](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin).