rotatelogs Questions and Answers

Can rotatelogs write to log files over 2GB?

Platform 1.3 releases? 6.1 and earlier? 7.0 and later?
AIX, HP-UX/PA-RISC, Linux, Solaris/SPARC No No Yes
HP-UX/PA-RISC, Solaris/x86_64, z/OS N/A Yes Yes
Windows No Yes Yes

Why does rotatelogs not support large files on some platforms?

This applies to IBM HTTP Server 2.0 through 6.1.

The web server and rotatelogs use file access interfaces provided by the Apache Portable Runtime (APR) library bundled with IBM HTTP Server. The APR provided with IBM HTTP Server on these platforms cannot support file offsets larger than 2GB without introducing an API incompatibility, which would break all current plug-in modules written for IBM HTTP Server. However, it was possible to enable large file support for applications which only append to files without introducing an API incompatibility.

The web server's internal support for error and access log files only appends to the end of log files and does not use file offsets, so the modifications to APR allow large log files when using the internal web server support.

The rotatelogs application interacts with log files in a more complex manner, including the use of file offsets. Thus, the APR changes don't enable large file support in rotatelogs.

For releases 7.0 and later, the bundled APR allows rotatelogs to use large file offsets. Note that since rotatelogs has a static copy of the APR library, rotatelogs from later releases can be used as a piped logger in previous releases.

Shouldn't I see a new logfile exactly when my interval ends?

Does rotatelogs rotate log files if no requests are received?

No, the rotate operation will not occur until IHS logs another request. If your configuration specifies that rotatelogs performs the rotation operation after 86400 seconds, and if IHS receives no requests after 86400 seconds have elapsed, the new log file will not yet be created. Then, when rotatelogs receives its next request to log, it will create the new log file and close the old one.

Does rotatelogs buffer data before writing to the log file?

No. However, data may be buffered in the operating system kernel after the web server writes the data but before rotatelogs can read it. This time is usually very brief.

Other programs can be used to filter data seen by rotatelogs, and those programs may introduce buffering. Example:

CustomLog "|grep -v \b200\b | /opt/IHS/bin/rotatelogs /opt/IHS/logs/grepped 86400" common

In this case, grep will buffer data internally until it has a full buffer, then rotatelogs will see many log records at the same time. (4096 bytes is a typical size for the buffer used by grep.)

Note: IBM HTTP Server 6.0 prior to 6.0.2.1, or IBM HTTP Server 2.0 prior to PK07831, does not support the type of CustomLog directive in the example above.

How can I rotate log files every night at midnight?

Specify a time interval of 86400 seconds. Use the -l option to rotate at midnight local time instead of midnight UTC. IBM HTTP Server 1.3 doesn't support the -l option; specify the UTC offset parameter instead.

Example:

CustomLog "|/usr/HTTPServer/bin/rotatelogs -l /www/logs/access_%Y-%m-%d 86400" custom

This example includes the year, month, and day in the log file name. An example generated filename is /www/logs/access_2007-11-26.

Why is the date in a new log file not todays date?

If you rotate every N seconds, rotatelogs picks an initial date and time based on whole intervals of N seconds starting from the beginning of the Unix epoch (January 1 1970).

For example, if you configure rotatelogs to rotate every 7 days (604800 seconds), a new logfile created January 1-6 1970 would have a timestamp of January 1 1970.

This algorithm can easily be investigated on a shell command line:

date -u --date=@$(($((`date +%s` / 604800)) * 604800))

Why are hour, minute, and second fields in generated filenames all zero when I rotate every 24 hours?

When rotating log files based on time intervals, the timestamp in generated filenames represents the beginning of the current interval, regardless of when the web server is started. The beginning of a 24-hour interval is always midnight, so hour, minute, and second fields are always zero. The beginning of a 1-hour interval is always the beginning of the hour, so minute and second fields are always zero.

Why is the timestamp always in UTC when I rotate based on file size?

The -l option and UTC offset parameters are not respected when rotating based on file size.
This is addressed by APAR PK56939.

Why are many timestamped files created at startup?

Apache, especially on Windows, launches rotatelogs a number of times for each time it's used in the configuration, as the configuration is first checked, re-ran, then possibly run again in the child proces (Windows only).

When you rotate based on size, and include seconds in your filename format, you will see multiple files with the second field incrementing.

We suggest not using seconds in general, but especially when rotating based on size.

Error Message: error writing to logfile xxx messages lost

This message can occur when the log has grown to 2 gigabytes on platforms that don't support large files with rotatelogs. In this case, shorten the rotation interval or use size-based rotation.

This message can also occur when there is insufficient free space on the filesystem used for logging.

If this error message occurs, the log file being written to by rotatelogs will be truncated and then new entries will continue to be written to the log.

Why am I getting errors or rotatelogs crashes when starting large numbers of rotatelogs instances

If you are using Windows and are trying to use large numbers of rotatelogs instances (for example, within a large number of Virtual Hosts), then you may experience errors or rotatelogs processes frequently crashing and being restarted. This is caused by exhaustion of a resource called the "Desktop Heap". For more information on the desktop heap, refer to this article.

Possible techniques for working around this limitation:

Increasing the desktop heap size involves changing registry values. Back up the Windows Registry before making any changes and be very careful when changing any values.

To increase the desktop heap, use the following procedure:

Note that increasing the last value increases the desktop heap size for all services. Do not make the value larger than necessary; each service in the system will consume more resources. While experimenting, we found that a value of 2048 was enough to run 200+ instances of rotatelogs.

Are there alternatives to rotatelogs?

rotatelogs is a piped logger which is responsible for switching to a new log file when certain criteria are met. You can choose to use piped logger software from a third party.

Refer to How can I rotate (switch) log files? for additional information on other possible alternatives.

Why am I unable to delete the original error log on my Windows server even after the logs are rotated?

You will not be able to remove logs to which the rotatelogs processes have active references. There are two references to each error log, one owned by the parent and one owned by a child process. As long as either process still has a reference to the error log, you will not be able to delete it. Once a new log file is created by the piped logger, the parent and child will not 'move' to the new log until something causes them to need to write to the log, or when the server restarts.

This behavior is the same in versions 6.x, 7.0, and the newer 8.x versions of IBM HTTP Server and is a limitation of using piped loggers such as rotatelogs.

If you attempt to remove a log that still has active references, the delete will not take place and if you are using a process monitor type tool, you may see an indication such as "DELETE PENDING". The behavior may vary depending upon whether you attempt the delete from the command-line versus doing it from Windows Explorer, with the latter apparently less likely to have issues.

Possible techniques for working around this limitation:

Errors after enabling piped loggers 'piped log program 'bin/rotatelogs... failed unexpectedly'

You must use the full filesystem path to the piped logger. The piped logger cannot be specified relative to the ServerRoot. The operative part of the error message in this FAQ is that the path is not absolute. For rotatelogs, the logfile path must also be absolute (although other piped loggers might allow you to use a relative path).

Is it safe to have two logging directives that use piped loggers point to the same file?

No, it's not safe to have two piped loggers writing to a logfile. The writes are not coordinated.

It is possible that a more sophisticated, non "rotatelogs" piped logger could coordinate its writes across processes.

When does rotatelogs close the file it's logging to?

Rotatelogs closes its output under the following scenarios:

It is possible that a more sophisticated, non "rotatelogs" piped logger could arrange to close the file earlier.