rotatelogs Questions and Answers

Can rotatelogs write to log files over 2GB?

Platform 1.3 releases? 6.1 and earlier? 7.0 and later?
AIX, HP-UX/PA-RISC, Linux, Solaris/SPARC No No Yes
HP-UX/PA-RISC, Solaris/x86_64, z/OS N/A Yes Yes
Windows No Yes Yes

Why does rotatelogs not support large files on some platforms?

This applies to IBM HTTP Server 2.0 through 6.1.

The web server and rotatelogs use file access interfaces provided by the Apache Portable Runtime (APR) library bundled with IBM HTTP Server. The APR provided with IBM HTTP Server on these platforms cannot support file offsets larger than 2GB without introducing an API incompatibility, which would break all current plug-in modules written for IBM HTTP Server. However, it was possible to enable large file support for applications which only append to files without introducing an API incompatibility.

The web server's internal support for error and access log files only appends to the end of log files and does not use file offsets, so the modifications to APR allow large log files when using the internal web server support.

The rotatelogs application interacts with log files in a more complex manner, including the use of file offsets. Thus, the APR changes don't enable large file support in rotatelogs.

For releases 7.0 and later, the bundled APR allows rotatelogs to use large file offsets. Note that since rotatelogs has a static copy of the APR library, rotatelogs from later releases can be used as a piped logger in previous releases.

Does rotatelogs rotate log files if no requests are received?

No, the rotate operation will not occur until IHS logs another request. If your configuration specifies that rotatelogs performs the rotation operation after 86400 seconds, and if IHS receives no requests after 86400 seconds have elapsed, the new log file will not yet be created. Then, when rotatelogs receives its next request to log, it will create the new log file and close the old one.

Does rotatelogs buffer data before writing to the log file?

No. However, data may be buffered in the operating system kernel after the web server writes the data but before rotatelogs can read it. This time is usually very brief.

Other programs can be used to filter data seen by rotatelogs, and those programs may introduce buffering. Example:

CustomLog "|grep -v \b200\b | /opt/IHS/bin/rotatelogs /opt/IHS/logs/grepped 86400 540" common

In this case, grep will buffer data internally until it has a full buffer, then rotatelogs will see many log records at the same time. (4096 bytes is a typical size for the buffer used by grep.)

Note: IBM HTTP Server 6.0 prior to 6.0.2.1, or IBM HTTP Server 2.0 prior to PK07831, does not support the type of CustomLog directive in the example above.

How can I rotate log files every night at midnight?

Specify a time interval of 86400 seconds. Use the -l option to rotate at midnight local time instead of midnight UTC. IBM HTTP Server 1.3 doesn't support the -l option; specify the UTC offset parameter instead.

Example:

CustomLog "|/usr/HTTPServer/bin/rotatelogs -l /www/logs/access_%Y-%m-%d" custom

This example includes the year, month, and day in the log file name. An example generated filename is /www/logs/access_2007-11-26.

Why are hour, minute, and second fields in generated filenames all zero when I rotate every 24 hours?

When rotating log files based on time intervals, the timestamp in generated filenames represents the beginning of the current interval, regardless of when the web server is started. The beginning of a 24-hour interval is always midnight, so hour, minute, and second fields are always zero. The beginning of a 1-hour interval is always the beginning of the hour, so minute and second fields are always zero.

Why is the timestamp always in UTC when I rotate based on file size?

The -l option and UTC offset parameters are not respected when rotating based on file size.
This is addressed by APAR PK56939.

Error Message: error writing to logfile xxx messages lost

This message can occur when the log has grown to 2 gigabytes on platforms that don't support large files with rotatelogs. In this case, shorten the rotation interval or use size-based rotation.

This message can also occur when there is insufficient free space on the filesystem used for logging.

If this error message occurs, the log file being written to by rotatelogs will be truncated and then new entries will continue to be written to the log.

Why am I getting errors or rotatelogs crashes when starting large numbers of rotatelogs instances

If you are using Windows XP and are trying to use large numbers of rotatelogs instances (for example, within a large number of Virtual Hosts), then you may experience errors or rotatelogs processes frequently crashing and being restarted.
IBM HTTP Server uses the same OS prereqs as the Websphere Application Server. Windows XP is not a supported operating system for production use.
This problem should not occur on the operating systems supported for production use.

The supported OS versions can be seen at: WebSphere Application Server detailed system requirements
Refer to the 'Software and hardware requirements / Application Server / Windows' sections

You can use Windows XP for general development and testing purposes, but this is a limitation that you may experience.

Are there alternatives to rotatelogs?

rotatelogs is a piped logger which is responsible for switching to a new log file when certain criteria are met. You can choose to use piped logger software from a third party.
cronolog is an example of another full featured piped log program that is sometimes used.

Refer to How can I rotate (switch) log files? for additional information on other possible alternatives.

What am I unable to delete the original error log on my Windows server even after the logs are rotated?

You will not be able to remove logs to which the rotatelogs processes have active references. The rotatelogs associated with the parent process retains a reference to the one original error log that is opened when the web server starts - even after the rotatelogs processes associated with the child processes have rotated the logs. Only the currently in-use logs and the very original error log will have active references. So, if multiple rotates have occurred those are the only three that can not be deleted.

This behavior is the same in versions 6.x and the newer 7.0 versions of IBM HTTP Server and is a limitation of using piped loggers.

A graceful restart of the service after the logs rotate should allow the rotated logs to be removed. The restart of the web server will relinquish the reference to the original error log, and the rotatelogs associated with the parent will then have a reference to the current error log.

Another workaround would be to install and enable the mod_mpmstats module with the ReportInterval directive set to occasionally write the thread usage report to the error log. With this module, the parent process is performing periodic writes to the error log, and in doing so, the parent's log reference will be updated to the current error log on a regualr basis, and it will no longer have the reference to the original error log. This will allow the original log to be deleted.
For IHS 6,x, you can obtain the mod_mpmstats module by downloading the ihsdiag package at this url: MustGather: Debugging IBM HTTP Server crashes, hangs, high CPU, startup failures
For IHS 7.0, you can find this module in the '/modules/debug' directory.
You can find enablement and usage info for the module at: http://publib.boulder.ibm.com/httpserv/ihsdiag/2.0/mod_mpmstats.html

Errors after enabling piped loggers 'piped log program 'bin/rotatelogs... failed unexpectedly'

IBM HTTP Server 6.1 and earlier must use the full filesystem path to the piped logger. The piped logger cannot be specified relative to the ServerRoot. The operative part of the error message in this FAQ is that the path is not absolute.

IBM HTTP Server 7.0 and later support a relative path to a piped logger.