kdc_rotate/good method to rotate kdc and admin_server logs

Kevin Longfellow klongfel at yahoo.com
Tue Aug 28 10:38:11 EDT 2012 




________________________________
 From: Benjamin Kaduk <kaduk at MIT.EDU>
To: Kevin Longfellow <klongfel at yahoo.com> 
Cc: "kerberos at mit.edu" <kerberos at MIT.EDU> 
Sent: Thursday, August 23, 2012 10:26 AM
Subject: Re: kdc_rotate/good method to rotate kdc and admin_server logs
 
On Tue, 21 Aug 2012, Kevin Longfellow wrote:

> 
> 
> Hi,
> 
> Forgive me for being dense but when does log rotation happen using kdc_rotate if period = 1d?  I have tried using logrotate but it loses some data and now am trying kdc_rotate and admin_server_rotate in krb5.conf.  This is MIT Kerberos version 1.7.2.  Ideally I'd like the logs to always rotate every day but if I can understand what the below is trying to tell me perhaps this will be acceptable.  Thanks, Kevin
> 
> 
> "The following relations can be specified for the kdc_rotate relation subsection: period=delta_time Specifies the time interval before a new log file is created. See the TimeFormats section in kinit(1) for the valid time duration formats you can specify for delta_time.  If period is not specified or set to never, no rotation occurs. Specifying a time interval does not mean that the log files are rotated at the time interval based on real time. This is because the time interval is checked at each attempt to write a record to the log, or when logging is actually occurring. Therefore, rotation occurs only when logging has actually occurred for the specified time interval."
> 
> Not quite sure what that last sentence means?

It means that the server process does not wake up periodically and check "should I rotate the log now?" -- instead, the server process does not do anything with the log until it actually has an entry to write to the log.  Before writing to the log, though, it checks whether the log should be rotated (and does so if necessary).
So, if you get enough traffic that you have something logged each day, then your logfiles will get rotated each day.  If you have very low traffic, then the logs might go multiple days without getting rolled.

Thanks!  How much is "enough traffic"?  There are 5232 entries in krb5kdc.log since Aug 20 and no log rotation.  There are numerous entries for each day since then.  This is my krb5.conf logging section:

[logging]
        default = FILE:/opt/krb5_local/var/log/default.log
        admin_server = FILE:/opt/krb5_local/var/log/kadm5.log
        admin_server_rotate = {
                period = 1d
                versions = 90
        }
        kdc = FILE:/opt/krb5_local/var/log/krb5kdc.log
        kdc_rotate = {
                period = 1d
                versions = 90
        }

-Ben Kaduk

More information about the Kerberos mailing list