Re: kdc_rotate/good method to rotate kdc and admin_server logs

[Kevin Longfellow]

________________________________
 From: Benjamin Kaduk <ka...@mit.edu>
To: Kevin Longfellow <klong...@yahoo.com> 
Cc: "kerberos@mit.edu" <kerberos@MIT.EDU> 
Sent: Thursday, August 23, 2012 10:26 AM
Subject: Re: kdc_rotate/good method to rotate kdc and admin_server logs
 
On Tue, 21 Aug 2012, Kevin Longfellow wrote:

> 
> 
> Hi,
> 
> Forgive me for being dense but when does log rotation happen using kdc_rotate 
> if period = 1d?  I have tried using logrotate but it loses some data and now 
> am trying kdc_rotate and admin_server_rotate in krb5.conf.  This is MIT 
> Kerberos version 1.7.2.  Ideally I'd like the logs to always rotate every day 
> but if I can understand what the below is trying to tell me perhaps this will 
> be acceptable.  Thanks, Kevin
> 
> 
> "The following relations can be specified for the kdc_rotate relation 
> subsection: period=delta_time Specifies the time interval before a new log 
> file is created. See the TimeFormats section in kinit(1) for the valid time 
> duration formats you can specify for delta_time.  If period is not specified 
> or set to never, no rotation occurs. Specifying a time interval does not mean 
> that the log files are rotated at the time interval based on real time. This 
> is because the time interval is checked at each attempt to write a record to 
> the log, or when logging is actually occurring. Therefore, rotation occurs 
> only when logging has actually occurred for the specified time interval."
> 
> Not quite sure what that last sentence means?

It means that the server process does not wake up periodically and check 
"should I rotate the log now?" -- instead, the server process does not do 
anything with the log until it actually has an entry to write to the log.  
Before writing to the log, though, it checks whether the log should be rotated 
(and does so if necessary).
So, if you get enough traffic that you have something logged each day, then 
your logfiles will get rotated each day.  If you have very low traffic, then 
the logs might go multiple days without getting rolled.

Thanks!  How much is "enough traffic"?  There are 5232 entries in krb5kdc.log 
since Aug 20 and no log rotation.  There are numerous entries for each day 
since then.  This is my krb5.conf logging section:

[logging]
        default = FILE:/opt/krb5_local/var/log/default.log
        admin_server = FILE:/opt/krb5_local/var/log/kadm5.log
        admin_server_rotate = {
                period = 1d
                versions = 90
        }
        kdc = FILE:/opt/krb5_local/var/log/krb5kdc.log
        kdc_rotate = {
                period = 1d
                versions = 90
        }

-Ben Kaduk
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos