The information contained in this article has been verified as up-to-date on the date of the original publication of the article. HashiCorp endeavors to keep this information up-to-date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.
All information contained in this article is for general information purposes only. Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.
What is Logrotate?
Logrotate is designed to ease the administration of system log files by managing their: automatic rotation, compression, removal, mailing, and more. Each log file may be handled on any desired interval of daily, weekly, monthly, or subject to other conditions such as exceeding file sizes.
Normally, Logrotate is scheduled to run as a daily cron job. Unless the argument-f or --force is used to force run the Logrotate the interval configured as well as other criteria will continue to determine the scheduled execution. For example logrotate -f $CONFIG_FILE_PATH
What's important to note is the need SIGHUPto be signaled to the Vaults process whenever rotating log files on BSD, Darwin, or Linux-based Vault servers.
Prerequisite:
- A running instance of Vault with Audits already enabled at the desired path. In my case, I've taken a file audit device enabled at
/var/log/vault_audit.log. The same conditions are expected on all the Vault nodes as well as other DR-Secondary clusters with appropriate permissions and settings set everywhere.
Setup:
Note that this demonstration was made using an Ubuntu 20.04 LTS server with Vault v1.8.5+ent running.
- On the Vault active node, run to enable File Audit Device at the designated path:
vault audit enable file file_path=/var/log/vault_audit.log
- Make sure that the file audit device is successfully created:
vault audit list --detailed
Output:Path Type Description Replication Options
---- ---- ----------- ----------- -------
file/ file n/a replicated file_path=/var/log/vault_audit.log
- Install Logrotate on all the Vault nodes:
sudo apt install aptitude && sudo apt install logrotate
- Create a Logrotate config file (vault_audit_log_rotate.conf) for audit log rotation on all the Vault nodes, using the example shown below - which you can adjust to match your setup:
sudo touch /etc/logrotate.d/vault_audit_log_rotate.conf
# Change the path below to your own audit log path.
/var/log/vault_audit.log
{
rotate 30
daily
size=500M
# Do not execute rotate if the log file is empty.
notifempty
missingok
compress
# Set compress on next rotate cycl to prevent entry loss while compression is in progress
delaycompress
extension log
dateext
dateformat %Y-%m-%d.
postrotate
/bin/kill -SIGHUP $(pidof vault) 2> /dev/null
echo "A rotation just took place." | mail ubuntu
endscript
}
# By using these settings, your audit folder will look like.
# ├── vault_audit.2022-05-10.log.gz
# ├── vault_audit.2022-05-11.log
# └── vault_audit.log
Note: The explanation of each directive (like rotate, daily, etc.) inside this configuration file can be found on the Logrotate man page.
- To execute a dry-run to see what Logrotate would do if it was executed, use the
-dswitch followed by the configuration file:
logrotate -d /etc/logrotate.d/vault_audit_log_rotate.conf
Run the following command to force execute the Logrotate:
logrotate -f /etc/logrotate.d/vault_audit_log_rotate.conf
- If the previous command is successful, the output will be:
ls -la /var/log/ | grep audit
# -rw------- 1 ubuntu ubuntu 12000 May 11 12:06 vault_audit.2022-05-11.log
# -rw------- 1 ubuntu ubuntu 0 May 11 12:13 vault_audit.log
- To check for the last run on logrotate for vault, you can run
cat /var/lib/logrotate/status | grep vault
Logrotate & Cron:
By default, the installation of Logrotate creates a crontab file inside /etc/cron.daily named logrotate. Based on your frequency you can move the logrotate crontab file to other cron schedules, like for example:
mv /etc/cron.daily/logrotate /etc/cron.hourly/logrotate