Discussion:
[Openvpn-users] logrotate
Bonno Bloksma
2017-07-03 10:54:28 UTC
Permalink
Hi,

I remember asking this a long time ago and at the time there was no "clean" way to rotate the openvpn log because the process would keep the log open.
I remember that at the time we compromised by doing a copy and truncate trick.

Is there a "proper" way now to use the Linux logrotate feature without the copytruncate option?

There is no default logrotate script in the Debian Linux I use, probably because there is no default openvpn log file.
Becase in my openvpn config I have
log-append /var/log/openvpn-user.log
right now I am using for logrotate:
/var/log/openvpn-user.log {
rotate 12
monthly
copytruncate
compress
missingok
notifempty
}

Is this still the best way to do it?
Using OpenVPN Version: 2.3.4-5+deb8u2 on Debian

Bonno Bloksma
Gert Doering
2017-07-03 11:41:13 UTC
Permalink
Hi,
Post by Bonno Bloksma
I remember asking this a long time ago and at the time there was no "clean" way to rotate the openvpn log because the process would keep the log open.
I remember that at the time we compromised by doing a copy and truncate trick.
Is there a "proper" way now to use the Linux logrotate feature without the copytruncate option?
--syslog?

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Илья Шипицин
2017-07-03 12:11:09 UTC
Permalink
3 Оюл. 2017 г. 16:45 пПльзПватель "Gert Doering" <***@greenie.muc.de>
МапОсал:

Hi,
Post by Bonno Bloksma
I remember asking this a long time ago and at the time there was no
"clean" way to rotate the openvpn log because the process would keep the
log open.
Post by Bonno Bloksma
I remember that at the time we compromised by doing a copy and truncate trick.
Is there a "proper" way now to use the Linux logrotate feature without
the copytruncate option?

--syslog?



syslog is not comfortable, for example, when running multiple openvpn
instances on the same server


gert
--
USENET is *not* the non-clickable part of WWW!
//
www.muc.de/~gert/
Gert Doering - Munich, Germany
***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-
muenchen.de

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
David Sommerseth
2017-07-03 12:48:25 UTC
Permalink
Post by Bonno Bloksma
Hi,
Post by Bonno Bloksma
I remember asking this a long time ago and at the time there was
no "clean" way to rotate the openvpn log because the process would
keep the log open.
Post by Bonno Bloksma
I remember that at the time we compromised by doing a copy and
truncate trick.
Post by Bonno Bloksma
Is there a "proper" way now to use the Linux logrotate feature
without the copytruncate option?
--syslog?
syslog is not comfortable, for example, when running multiple openvpn
instances on the same server
Nonsense. IIRC, that's what Debian have been doing for a long time.
From the man page:

--syslog [progname]
Direct log output to system logger, but do
not become a daemon. See --daemon directive
above for description of progname parameter.


--daemon [progname]
[...snip...]

The optional progname parameter will cause
OpenVPN to report its program name to the
system logger as progname. This can be use‐
ful in linking OpenVPN messages in the sys‐
log file with specific tunnels. When
unspecified, progname defaults to "openvpn".

So using --syslog "ovpn-tunnel1" in the configuration file, will make
all log entries appear as "ovpn-tunnel1".

With rsyslog and syslog-ng, you can also filter out these log entries
into a separate log file. For rsyslog, look up "Property-Based Filters"
and "Expression-Based Filters".


That said, for systemd based distributions, I recommend using the newer
openvpn-***@.service or openvpn-***@.service unit files. This
allows you to extract log information per configuration like this:

If you have your server configuration stored under
/etc/openvpn/server/tunnel1.conf ... all you need to do is (as well as
not using --log or --syslog in the configuration files)

journalctl --since yesterday -u openvpn-***@tunnel1

Then you'll have automatic rotation included as well.


--
kind regards,

David Sommerseth

Илья Шипицин
2017-07-03 12:13:54 UTC
Permalink
3 Оюл. 2017 г. 16:45 пПльзПватель "Gert Doering" <***@greenie.muc.de>
МапОсал:

Hi,
Post by Bonno Bloksma
I remember asking this a long time ago and at the time there was no
"clean" way to rotate the openvpn log because the process would keep the
log open.
Post by Bonno Bloksma
I remember that at the time we compromised by doing a copy and truncate trick.
Is there a "proper" way now to use the Linux logrotate feature without
the copytruncate option?

--syslog?

gert
--
USENET is *not* the non-clickable part of WWW!
//
www.muc.de/~gert/
Gert Doering - Munich, Germany
***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-
muenchen.de

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



Anyway, I confirm that documentation should be improved here.

I was looking for the "recommended" way of rotating logs, and I couldn't
find any
Continue reading on narkive:
Loading...