kdc_rotate/good method to rotate kdc and admin_server logs

[Benjamin Kaduk]

On Tue, 21 Aug 2012, Kevin Longfellow wrote:

>
>
> Hi,
>
> Forgive me for being dense but when does log rotation happen using 
> kdc_rotate if period = 1d?  I have tried using logrotate but it loses 
> some data and now am trying kdc_rotate and admin_server_rotate in 
> krb5.conf.  This is MIT Kerberos version 1.7.2.  Ideally I'd like the 
> logs to always rotate every day but if I can understand what the below 
> is trying to tell me perhaps this will be acceptable.  Thanks, Kevin
>
>
> "The following relations can be specified for the kdc_rotate relation 
> subsection: period=delta_time Specifies the time interval before a new 
> log file is created. See the TimeFormats section in kinit(1) for the 
> valid time duration formats you can specify for delta_time.  If period 
> is not specified or set to never, no rotation occurs. Specifying a time 
> interval does not mean that the log files are rotated at the time 
> interval based on real time. This is because the time interval is 
> checked at each attempt to write a record to the log, or when logging is 
> actually occurring. Therefore, rotation occurs only when logging has 
> actually occurred for the specified time interval."
>
> Not quite sure what that last sentence means?

It means that the server process does not wake up periodically and check 
"should I rotate the log now?" -- instead, the server process does not 
do anything with the log until it actually has an entry to write to the 
log.  Before writing to the log, though, it checks whether the log should 
be rotated (and does so if necessary).
So, if you get enough traffic that you have something logged each day, 
then your logfiles will get rotated each day.  If you have very low 
traffic, then the logs might go multiple days without getting rolled.

-Ben Kaduk