C.3. IdM Domain Services and Log Rotation
Several IdM domain services use the system
logrotate
service to handle log rotation and compression:
named
(DNS)httpd
(Apache)tomcat
sssd
krb5kdc
(the Kerberos domain controller)
The
logrotate
configuration files are stored in the /etc/logrotate.d/
directory.
Example C.1. Default httpd
Log Rotation File at /etc/logrotate.d/httpd
/var/log/httpd/*log { missingok notifempty sharedscripts delaycompress postrotate /sbin/service httpd reload > /dev/null 2>/dev/null || true endscript }
Warning
The
logrotate
policy files for most of the services create a new log file with the same name, default owner, and default permissions as the previous log. However, with the files for named
and tomcat
, a special create
rule sets this behavior with explicit permissions as well as user and group ownership.
Do not change the permissions or the user and group which own the
named
and tomcat
log files. This is required for both IdM operations and SELinux settings. Changing the ownership of the log rotation policy or of the files can cause the IdM domains services to fail.
Additional Resources
- The 389 Directory Server instances used by IdM as a back end and by the Dogtag Certificate System have their own internal log rotation policies. See the Configuring Subsystem Logs in the Red Hat Directory Server 10 Administration Guide.
- For details about other potential log rotation settings, such as compression settings or the size of the log files, see the Log Rotation in the System Administrator's Guide or the logrotate(8) man page.