- none of the TPS logs are rotated. - fwiw, log rotation is available as a feature in CA and other subsystems.
could we document logrotate configuration to use operating system feature like usually done for mysql, apache, and so see man logrotate httpd example, from /etc/logrotate.d/httpd: /var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP `cat /var/run/httpd/httpd.pid 2>/dev/null` 2> /dev/null || true endscript }
Created attachment 389624 [details] patch for rolling logs and TPS shutdown if log is full jmagne, please review This includes changes to add : -- log rotation to TPS -- log expiration thread -- TPS shuts down if audit log full (BZ 562893)
Attachment (id=389624) +jmagne
Created attachment 389830 [details] updated patch for rolling logs and TPS shutdown if log id full updated patch (already +'ed by jmagne)
Checked into 8.1 tip [builder@goofy-vm4 tps]$ svn ci -m "BZ500700 and BZ562893: tps log rotation and tps shutdown if audit logs full" Sending tps/Makefile.am Sending tps/Makefile.in Sending tps/doc/CS.cfg Sending tps/src/engine/RA.cpp Sending tps/src/include/engine/RA.h Adding tps/src/include/main/LogFile.h Adding tps/src/include/main/RollingLogFile.h Adding tps/src/main/LogFile.cpp Adding tps/src/main/RollingLogFile.cpp Transmitting file data ......... Committed revision 967.
Notes to QE/ Doc The following parameters have been added to CS.cfg for the TPS (where * is audit, debug or error): logging.*.file.type: can be LogFile or RollingLogFile logging.*.rolloverInterval: interval to roll over logs (seconds, 0 to disable) logging.*.maxFileSize: size at which file rollover occurs, in kB logging.*.expirationTime: maximum age of log, older unmodified logs are deleted (in seconds, 0 to disable) If the file type is LogFile, then we have the existing behaviour which is a plain log file that does not roll over or expire. If the file type is RollingLogFile, then the file will roll over (save the file to <log_file_name>.<date> and start writing in a new file) if : a) The log file exceeds maxFileSize b) Every rolloverInterval (assuming the log file is non-empty). Setting rolloverInterval to 0 disables this. In addition, if expirationTime >0, then we will look to see if there are any logs that have been rotated (which have filename of form <filename>.<date>) and which have not been modified within expiration_time. If so, then the file will have expired and will be deleted. The default settings for these parameters are shown below: logging.*.file.type: RollingLogFile logging.*.rolloverInterval: 30 days logging.*.maxFileSize: 2 MB logging.*.expirationTime: 0 (disabled) One thing that QE should confirm is that for audit logs, if the log is rolled over, the new log starts with a signature message. In fact, QE should confirm that a series of rolled -over logs are verified correctly using AuditVerify.
Design docs at https://wiki.idm.lab.bos.redhat.com/export/idmwiki/Certificate_System_8.1_Designs#Adding_Rolling_Logs_for_the_TPS
Created attachment 394961 [details] change to ensure roated signed audit log starts with a signature this was mistakenly left out in the checkin .. jmagne, please review
Attachment (id=394961) +jmagne
[builder@goofy-vm4 tps]$ svn ci -m "BZ500700 - ensure rotated signed audit logs start with a signature" Sending tps/src/main/RollingLogFile.cpp Transmitting file data . Committed revision 981.
Tested TPS log files rotation for audit, debug and error log files. Log files rollover when the log file exceeds maxFileSize and every rolloverInterval. When the file size is 0 bytes, files are not rolled over. When the expirationTime >0, the logs that have been rotated and those that have not been modified within expiration_time are deleted. We have a minor bug https://bugzilla.redhat.com/show_bug.cgi?id=567415, which deletes rotated files that suffix or prefix with any character. In the case of Signed audit logs, when the log is rolled over, the new log starts with a signature message. Series of rolled over logs are verified using AuditVerify. Marking this bug verified.