C.3. IdM Domain Services and Log Rotation

Several IdM domain services use the system logrotate service to handle log rotation and compression:
  • named (DNS)
  • httpd (Apache)
  • tomcat
  • sssd
  • krb5kdc (the Kerberos domain controller)
The logrotate configuration files are stored in the /etc/logrotate.d/ directory.

Example C.1. Default httpd Log Rotation File at /etc/logrotate.d/httpd

/var/log/httpd/*log {
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
    endscript
}

Warning

The logrotate policy files for most of the services create a new log file with the same name, default owner, and default permissions as the previous log. However, with the files for named and tomcat, a special create rule sets this behavior with explicit permissions as well as user and group ownership.
Do not change the permissions or the user and group which own the named and tomcat log files. This is required for both IdM operations and SELinux settings. Changing the ownership of the log rotation policy or of the files can cause the IdM domains services to fail.

Additional Resources

  • The 389 Directory Server instances used by IdM as a back end and by the Dogtag Certificate System have their own internal log rotation policies. See the Configuring Log Files in the Red Hat Directory Server Administration Guide.
  • For details about other potential log rotation settings, such as compression settings or the size of the log files, see the Log Rotation in the System Administrator's Guide or the logrotate(8) man page.