On 23/11/2022 19:12, Sam Morris via FreeIPA-users wrote:
I've been meaning to raise bugs regarding the rotation of PKI log
files
on this list for some time but never got around to it. On a reasonably
old server there are always lots of very old log files in
/var/log/pki/pki-tomcat. On the server I'm looking at, we have...
catalina.*.log
host-manager.*.log
localhost.*.log
manager.*.log
---
These are mentioned in /etc/pki/pki-tomcat/logging.properties but
there's no configuration of retention or frequency in that file. They
appear to be rotated weekly and the oldest files are from Feb 2022 so I
guess there is something limiting their retention, I just don't know
where to configure it...
These can be configured by adding a new line for each of the four
loggers, like so:
1catalina.org.apache.juli.FileHandler.maxDays = 15
Log files are removed after Tomcat starts.
localhost_access_log.*.txt
---
Rotated daily, oldest file dates back to April 2021 so nothing expiring
old files. This one is mentioned in /etc/pki/pki-tomcat/server.xml,
according to
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html
maxDays defaults to -1 which means keep forever. Maybe
ipa-server-install might want to set that to a sensible value?
I've test this one too, log files are removed after Tomcat starts.
acme/debug.*.log
ca/debug.*.log
kra/debug.*.log
Rotated daily, have never been cleaned up.
---
https://github.com/dogtagpki/pki/issues/3731 filed but no one has taken
a look at it yet...
https://www.dogtagpki.org/wiki/PKI_10.5_Subsystem_Debug_Log remarks that
"[this] logging framework does not support rotation". That being the
case maybe FreeIPA could take it upon itself to ship a cron job that can
clean these up?
One liner that works for me:
find /var/log/pki/pki-tomcat/ca -name 'debug.????-??-??.log' -print |
LC_COLLATE=C sort | head -n -14 | xargs -r ls
Seems reasonably safe, if the user has configured a different debug log
filename then it won't delete anything.
pki/debug.*.log
---
As for the other debug.*.log but these are totated weekly
ca/selftests.log.*
kra/selftests.log.*
---
According to
https://www.dogtagpki.org/wiki/SelfTest#Logger these are
configured in /etc/pki/pki-tomcat/{ca,kra}/CS.cfg, it looks like these
should be rotated every month, but on this server they've only rolled
over 5 times since April 2021, at irregular intervals:
# ll /var/log/pki/pki-tomcat/ca/selftests.log* -th
-rw-r-----. 1 pkiuser pkiuser 11K Nov 19 10:31
/var/log/pki/pki-tomcat/ca/selftests.log
-rw-r-----. 1 pkiuser pkiuser 1.2K Sep 13 11:31
/var/log/pki/pki-tomcat/ca/selftests.log.20220913113055
-rw-r-----. 1 pkiuser pkiuser 4.7K Aug 7 14:47
/var/log/pki/pki-tomcat/ca/selftests.log.20220807144705
-rw-r-----. 1 pkiuser pkiuser 25K May 19 2022
/var/log/pki/pki-tomcat/ca/selftests.log.20220519113631
-rw-r-----. 1 pkiuser pkiuser 20K Dec 21 2021
/var/log/pki/pki-tomcat/ca/selftests.log.20211221184830
-rw-r-----. 1 pkiuser pkiuser 28K Aug 13 2021
/var/log/pki/pki-tomcat/ca/selftests.log.20210813112850
... in any case, there is an undocumented expirationTime parameter that
may related to retention; it's set to 0, maybe that means 'forever'?
This expirationTime parameter is also present for the system and
transaction logs that (in the default config) that never have anything
written to them.
According to
https://github.com/dogtagpki/pki/issues/2284 the setting
does't work. An external cron job is recommended to clean up old logs.
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9