[Fedora-directory-users] FDS log management - bug?

Andrey Ivanov andrey.ivanov at polytechnique.fr
Tue Aug 14 10:53:28 UTC 2007 

Hi,

Noriko Hosoi <nhosoi at redhat.com> a écrit :

> I tried to reproduce the problem with these config parameters, but I
> could not.
>
>    nsslapd-accesslog-logging-enabled: on
>    nsslapd-accesslog-maxlogsperdir: 10
>    nsslapd-accesslog-mode: 600
>    nsslapd-accesslog-maxlogsize: 10
>    nsslapd-accesslog-logrotationtime: 1
>    nsslapd-accesslog-logrotationtimeunit: day
>    nsslapd-accesslog-logrotationsync-enabled: on
>    nsslapd-accesslog-logrotationsynchour: 10
>    nsslapd-accesslog-logrotationsyncmin: 40
>    nsslapd-accesslog: /var/log/redhat-ds/slapd-laputa/access
>
> It rotated the access log at 10:40, but it did not remove my
> older/oldest log access.20070810-173005:
>
>    total 11788
>    -rw-------  1 nobody nobody 8570855 Aug 13 10:52 access
>    -rw-------  1 nobody root    108003 Aug 10 17:33 access.20070810-173005
>    -rw-------  1 nobody nobody 1845874 Aug 13 10:33 access.20070813-103043
>    -rw-------  1 nobody nobody 1453655 Aug 13 10:40
>    access.20070813-103824 <=== rotated at 10:40
>    -rw-------  1 nobody root       377 Aug 13 10:40 access.rotationinfo
>    -rw-------  1 nobody root         0 Aug 10 17:30 audit
>    -rw-------  1 nobody root        63 Aug 10 17:30 audit.rotationinfo
>    -rw-------  1 nobody root      5878 Aug 13 10:38 errors
>    -rw-------  1 nobody root        63 Aug 10 17:30 errors.rotationinfo
>
> Do you happen to have any other advice I could test on?
> Thanks,
> --noriko

Actually, when you first set the time for the rotation  
(nsslapd-accesslog-logrotationsynchour and  
nsslapd-accesslog-logrotationsyncmin) everything goes well. It's  
starting from the following rotation (after 24 hours) when it starts  
to behave differently. So just wait for another 24 hours without  
restarting the server...

And it seems to me that i've found the reason of this strange  
behaviour. It is a half java console/half server bug:

1. When you set the deletion policy with the java console and if you  
don't change at the same time the default time unit (for example, i've  
put 12 MONTHs instead of 1 MONTH by default) the console does not put  
the attribute 'nsslapd-accesslog-logexpirationtimeunit' (or  
'nsslapd-errolog-logexpirationtimeunit' for error logs, maybe the same  
problem for audit logs) into the dse.ldif. By default, this attribute  
is not present. It puts however the  
'nsslapd-accesslog-logexpirationtime' attribute. The first bug.

2. So what happens next... The server finds itself with the  
'nsslapd-accesslog-logexpirationtime' set but without the time units.  
And when the attribute 'nsslapd-accesslog-logexpirationtimeunit' is  
not set, according to the documentation, the server should not delete  
the logs at all (cf."If the
unit is unknown by the server, then the log will never expire").  
However, that's exactly what it does. It deletes all the logs but the  
last rotated one. The second bug.

(concerning the version of the server, it's a compiled rpm from  
dsbuild-fds104.tar.gz in CentOS5, x32 architecture)

Anyway, it's a cosmetic bug but since i've ran into it i thought i  
should share my  experience :)

Talking about cosmetic bugs... There is another small bug concerning  
the description of the aci bind rules in the documentation. Namely, in  
chapter 6 (managing access control) of the administrator's guide at  
the page 240 of the pdf version   
(http://www.redhat.com/docs/manuals/dir-server/pdf/ds71admin.pdf) in  
the paragraph "Bind Rules/Defining Access Based on Authentication".  
While describing various SASL methods it mentions among others the  
'GSS-API' keyword that can be used in ACIs. I've tested it and it  
turns out that (authmethod = "sasl GSS-API") does not work. What  
actually works is (authmethod = "sasl GSSAPI").

Thanks

>
> Andrey Ivanov wrote:
>> I don't know whether it's a feature or a bug :)  I have the   
>> following configuration for the log management :
>>
>> nsslapd-accesslog-logging-enabled: on
>> nsslapd-accesslog-maxlogsperdir: 365
>> nsslapd-accesslog-mode: 600
>> nsslapd-accesslog-maxlogsize: 120
>> nsslapd-accesslog-logrotationtime: 1
>> nsslapd-accesslog-logrotationtimeunit: day
>> nsslapd-accesslog-logrotationsync-enabled: on
>> nsslapd-accesslog-logrotationsynchour: 0
>> nsslapd-accesslog-logrotationsyncmin: 0
>> nsslapd-accesslog: /Logs/Ldap/access
>>
>> nsslapd-accesslog-logmaxdiskspace: 50000
>> nsslapd-accesslog-logexpirationtime: 12
>> nsslapd-accesslog-logexpirationtimeunit: month
>> nsslapd-accesslog-logminfreediskspace: 2000
>>
>> It means, essentially, that the logs are rotated once a day at   
>> midnight (or if the file is larger than 120Mb) and that i keep them  
>>  for 1 year.
>>
>> If i don't set the log rotation time (logrotationsynchour and   
>> logrotationsyncmin) everything is ok, the logs are rotated once a   
>> day and then they are kept for the necessary time period.
>> However when i set this rotation time the server deletes ALL the   
>> logs but the current and the last one. That is, after each rotation  
>>  i have the current log (the file 'access') and the previous one   
>> (yesterday's log, like access.20070811-000030). All the oher log   
>> files are deleted.
>>
>> So if i want to keep the logs i need to copy them to a different   
>> place by a cron script which is not very elegant :)


----------------------------------------------------------------
This message was sent using X-WebMail

More information about the Fedora-directory-users mailing list