diff --git a/deployment/logrotate/logrotate-crond-container-puppet.yaml b/deployment/logrotate/logrotate-crond-container-puppet.yaml
index ded049527e..2db870ff7d 100644
--- a/deployment/logrotate/logrotate-crond-container-puppet.yaml
+++ b/deployment/logrotate/logrotate-crond-container-puppet.yaml
@@ -69,6 +69,24 @@ outputs:
         tripleo::profile::base::logging::logrotate::rotation: {get_param: LogrotateRotationInterval}
         tripleo::profile::base::logging::logrotate::rotate: {get_param: LogrotateRotate}
         tripleo::profile::base::logging::logrotate::purge_after_days: {get_param: LogrotatePurgeAfterDays}
+      deploy_steps_tasks:
+        - name: configure tmpwatch on the host
+          when: step|int == 2
+          copy:
+            dest: /etc/cron.daily/containers-tmpwatch
+            owner: root
+            group: root
+            mode: 0755
+            content: |
+              #!/bin/sh
+              tmpwatch --nodirs \
+                -X "/var/log/containers/*/*log" \
+                -X "/var/log/containers/*/*/*log" \
+                -X "/var/log/containers/*/*err" \
+                {{ LogrotatePurgeAfterDays|int +1 }} \
+                /var/log/containers/ 2>&1 | logger -t container-tmpwatch
+          vars:
+             LogrotatePurgeAfterDays: {get_param: LogrotatePurgeAfterDays}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: crond
diff --git a/deployment/logrotate/tmpwatch-install.yaml b/deployment/logrotate/tmpwatch-install.yaml
new file mode 100644
index 0000000000..97ada068e8
--- /dev/null
+++ b/deployment/logrotate/tmpwatch-install.yaml
@@ -0,0 +1,44 @@
+heat_template_version: rocky
+
+description: >
+  Install tmpwatch on the undercloud/standalone
+
+parameters:
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for tmpwatch install on undercloud or standalone
+    value:
+      service_name: logrotate_tmpwatch
+      deploy_steps_tasks:
+        - name: install tmpwatch on the host
+          when: step|int == 1
+          package:
+            name: tmpwatch
+            state: installed
diff --git a/environments/standalone.yaml b/environments/standalone.yaml
index 05ce173ffc..bc4948613d 100644
--- a/environments/standalone.yaml
+++ b/environments/standalone.yaml
@@ -1,6 +1,7 @@
 # DEPRECATED.
 # This file has been replaced with environments/standalone/standalone-tripleo.yaml
 resource_registry:
+  OS::TripleO::Services::Tmpwatch: ../deployment/logrotate/tmpwatch-install.yaml
   OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/noop.yaml
   OS::TripleO::Network::Ports::ControlPlaneVipPort: ../deployed-server/deployed-neutron-port.yaml
   OS::TripleO::Standalone::Net::SoftwareConfig: ../net-config-standalone.yaml
diff --git a/environments/standalone/standalone-tripleo.yaml b/environments/standalone/standalone-tripleo.yaml
index 311263419b..317fbae7b0 100644
--- a/environments/standalone/standalone-tripleo.yaml
+++ b/environments/standalone/standalone-tripleo.yaml
@@ -119,5 +119,6 @@ resource_registry:
   OS::TripleO::Services::SaharaApi: OS::Heat::None
   OS::TripleO::Services::SaharaEngine: OS::Heat::None
   OS::TripleO::Services::Tacker: OS::Heat::None
+  OS::TripleO::Services::Tmpwatch: ../../deployment/logrotate/tmpwatch-install.yaml
   OS::TripleO::Services::Zaqar: OS::Heat::None
   OS::TripleO::Standalone::Net::SoftwareConfig: ../../net-config-standalone.yaml
diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml
index 1eb5741035..c8c14785dc 100644
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@@ -1,4 +1,5 @@
 resource_registry:
+  OS::TripleO::Services::Tmpwatch: ../deployment/logrotate/tmpwatch-install.yaml
   OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/noop.yaml
   OS::TripleO::Network::Ports::ControlPlaneVipPort: ../deployed-server/deployed-neutron-port.yaml
   OS::TripleO::Undercloud::Net::SoftwareConfig: ../net-config-undercloud.yaml
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 82b5d45625..36d3fc1924 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -335,6 +335,7 @@ resource_registry:
   OS::TripleO::Services::Multipathd: deployment/multipathd/multipathd-container.yaml
 
   # Logging
+  OS::TripleO::Services::Tmpwatch: OS::Heat::None
   OS::TripleO::Services::Logging::BarbicanApi: docker/services/logging/files/barbican-api.yaml
   OS::TripleO::Services::Logging::GlanceApi: deployment/glance/glance-api-logging-file-container.yaml
   OS::TripleO::Services::Logging::HAProxy: docker/services/logging/files/haproxy.yaml
diff --git a/roles/Standalone.yaml b/roles/Standalone.yaml
index d2361ad049..f82c3d0021 100644
--- a/roles/Standalone.yaml
+++ b/roles/Standalone.yaml
@@ -173,6 +173,7 @@
     - OS::TripleO::Services::Tacker
     - OS::TripleO::Services::Timesync
     - OS::TripleO::Services::Timezone
+    - OS::TripleO::Services::Tmpwatch
     - OS::TripleO::Services::TripleoFirewall
     - OS::TripleO::Services::TripleoPackages
     - OS::TripleO::Services::Tuned
diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml
index 8eb74ebc4d..cc2498aaac 100644
--- a/roles/Undercloud.yaml
+++ b/roles/Undercloud.yaml
@@ -89,6 +89,7 @@
     - OS::TripleO::Services::Tempest
     - OS::TripleO::Services::Timesync
     - OS::TripleO::Services::Timezone
+    - OS::TripleO::Services::Tmpwatch
     - OS::TripleO::Services::TripleoFirewall
     - OS::TripleO::Services::TripleoUI
     - OS::TripleO::Services::Tuned
diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml
index f667d28876..52e3895e42 100644
--- a/roles_data_undercloud.yaml
+++ b/roles_data_undercloud.yaml
@@ -92,6 +92,7 @@
     - OS::TripleO::Services::Tempest
     - OS::TripleO::Services::Timesync
     - OS::TripleO::Services::Timezone
+    - OS::TripleO::Services::Tmpwatch
     - OS::TripleO::Services::TripleoFirewall
     - OS::TripleO::Services::TripleoUI
     - OS::TripleO::Services::Tuned
diff --git a/sample-env-generator/standalone.yaml b/sample-env-generator/standalone.yaml
index 1efb9ee6cc..0b7ede50ee 100644
--- a/sample-env-generator/standalone.yaml
+++ b/sample-env-generator/standalone.yaml
@@ -75,6 +75,9 @@ environments:
       OS::TripleO::Services::Podman: ../../deployment/podman/podman-baremetal-ansible.yaml
       OS::TripleO::Services::DockerRegistry: ../../deployment/image-serve/image-serve-baremetal-ansible.yaml
 
+      # Install tmpwatch
+      OS::TripleO::Services::Tmpwatch: ../../deployment/logrotate/tmpwatch-install.yaml
+
       # Disable non-openstack services that are enabled by default
       OS::TripleO::Services::HAproxy: OS::Heat::None
       OS::TripleO::Services::Keepalived: OS::Heat::None