[Freeipa-users] Do you use logrotate?

Tue Sep 11 17:03:30 UTC 2012

On 09/11/2012 10:41 AM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> On 09/11/2012 08:18 AM, Christian Horn wrote:
>>> Hi,
>>>
>>> On Mon, Sep 10, 2012 at 06:07:57PM -0400, Dmitri Pal wrote:
>>>> Does anyone use logrotate?
>>> Not yet, indeed good idea.
>>>
>>>
>>>> Have you seen something else that would be valuable for others to
>>>> consider when configuring logrotate with IPA?
>>> IPA has many services writing to independent files.  Having these
>>> logs collected in a central place seems to be a common desire.
>>> For DNS syslog is used and can directly log to a remote location.
>>>
>>> For the other services the best idea so far seems to be to have
>>> a cronjob which uses rsync/ssh to centrally store the logs.
>>>
>>> This can be implemented without much further thought.
>>> If logrotate is used on the IPA servers, but also longer logs
>>> should be kept on the central server, further thoughts would
>>> be needed here..
>>>
>>>
>>> Thats the only relevant thing coming to mind for the topic.
>>> Christian
>>>
>>
>> Collecting log centrally is a separate topic.
>> I want to focus on the logrotate configuration and potential issues
>> people might have or have had in the past related to logrotate causing
>> IPA to fail.
>
> logrotate is being used by every IPA user today unless they have
> configured it to NOT be used. There are default logrotate rules for
> named, httpd, tomcat6, sssd and krb5kdc. 389-ds-base does its own log
> rotation AFAIU.
>
> rob
So how it happened that someone configured logrotate to run as a
different user and caused DS instance not to start?
I want to understand what we can do to prevent such situations.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/