I am setting up a new deployment of some WA's and was surprised at the lack of any options to manage the access logs. In poking around, I see there's a cron that runs hourly to logrotate at 10MB size. My WA's will be in a pretty high-traffic environment and this seems too low. I'd be curious to hear what others are doing to manage large amounts of access logs. I'm estimating my logs to be about 600-700MB/day per box.

I am no stranger to your predicament. I have to manage 12gb of log files per day. What I do is at the end of the day I have the logs ftp'd to a log box with around 100gb of storage. A perl script processes the files and pulls out information that I need to have on a day to day basis, not simply to look at them be able to recall specific information I only need. The files are the zipped up and moved to another partision which they sit in near line storage for 1 month. There after it's backed up into tape. I hope this helps CB

CB, I was thinking of a similar but opposite approach. We have some existing processes that will fetch the files, but I want to make sure I understand what I have to work with. I'm curious: did you keep the default logrotate method on the WA? If I understand it correctly, it only keeps the last 24hrs of data in 10MB chunks, correct? I would like to have a little more room for error there and maybe keep a couple days worth in case the process hiccups. I'd also like a logical naming convention, but my initial response from F5 support is this is not easily changed.

Nope. I rotated based on the end of the day rather basing in file size. Even though I had local storage I didn't want to small files because it's too many files to search through. One giant file with perl script pretty much did the trick. /CB

Out of curiosity are you referring to the HTTP Access logs or the system logs like the pvac.log? The pvac.log and comm_srv.log is stored in /var/log/wa and is zipped on a daily basis and archived for 7 days on the system. HTTP hit logs or access logs are stored in /var/wa/log/access and these are stored for 30 days on the system. Looking at these directories you should see daily files as *.gz It is definitely recommended that these files be transferred to external storage especially if they are going to be needed long term.

I am referring to the logs in: /var/log/wa/access/*.log and referencing the default wa_logrotate script in cron.hourly that loads: /var/run/config/logrotate.d/wa THIS IS AN AUTO-GENERATED FILE -- DO NOT EDIT!!! rotate 24 create compress notifempty missingok /var/log/wa/access*.log /var/log/wa/pvacLog_8081 { size=10M sharedscripts postrotate /bin/kill -HUP `/sbin/pidof -s pvac 2> /dev/null` 2> /dev/null || true endscript } /var/log/wa/stats/*.log /var/log/wa/stats/system/*.log { size=10M } /var/log/wa/stats/perfmonitor/*.log { rotate 0 size=10M } wa where do you get 30 days from this? You must be talking about an older version. PS: I am working with the WA 9.4.3 Build 1.4 Final

WA access logs | DevCentral

rb1980_75708
Nimbostratus
Apr 09, 2008
OK! So after about 2 dozen emails back and forth with support I finally have a workable solution. Thanks to all who contributed.

Let me recap:

My goal was to be able to control my own access log rotation however I wanted to, without being locked into F5's defaults.

After applying the Hotfix-BIG-IP-9.4.3-HF2 which fixed the 'bug' with the wrong path, the WA access logs were now included in the hourly rotation schedule and configured to rotate at 10MB. This was not ideal in my setup so I pressed on for a better solution.

Turns out it was not that hard, just mainly my lack of understanding of how the WA manages the config files.

So here is the solution I came up with that I am happy with.

NOTE: This configuration is not offically sanctioned by F5 and may be wiped out by future upgrades. Use at your own risk.

1. Edit /usr/share/defaults/config/templates/warotate.tmpl and remove the /var/log/wa/access/*.log filespec.

2. Run: bigpipe logrotate wa include \"blah\" (this is a hack to get it to regenerate the wa conf files)

3. Regenerate the configs with: bigpipe save all

4. Create a standard logrotate conf file here: /var/run/config/logrotate.d/wa_access with your custom settings. Here is mine:

/var/log/wa/access/*.log {

compress

ifempty

rotate 7

daily

olddir /var/log/wa/access/archive

sharedscripts

postrotate

/bin/kill -HUP `/sbin/pidof -s pvac 2> /dev/null` 2> /dev/null || true

cd /var/log/wa/access/archive;for i in `ls -1 *.1.gz`;do /usr/bin/scp $i user@host:/destdir/`date -r $i +%Y%m%d`-$i;done

endscript

}

5. You need to mkdir /var/log/wa/access/archive

6. Check your config by running: logrotate -d /etc/logrotate.conf

Note: Because I opted for a daily rotation in this case, the default logrotate script that gets called in /etc/cron.daily will pick up the wa_access file from /var/run/config/logrotate.d. If you wanted to run hourly rotation, you'd be better off following the method in SOL8320 and adding it to the wa include section.

I just put together this configuration today and haven't yet let it run on it's own, but it looks good on the debug check. I will come back and modify the post if it needs any tweaks. The only thing I am not sure about is whether or not I will leave it in cron.daily, since this gets run at 04:02. Because I'm anal, I might change it to run in a seperate crontab at midnight or just change the time in /etc/crontab.
Joseph_Hicks_36
Nimbostratus
Apr 17, 2008
RB1980,

Thanks for sticking with the logrotate stuff and posting the result here. I understand your need to customize your logging and am sorry that you had to spend time to get it the way that you want it. In addition to spending a few minutes to speak to you about your needs, I also wanted to let you know that I am tracking this thread and will look into how we can incorporate changes into WebAccelerator to allow you to more easily modify the logrotation to the way you would like it. I am the Product Manager for Acceleration at F5 which includes the WebAccelerator product. While DevCentral is not an official way to ensure that your problems with F5 solutions get addressed, I want to let you know that I am committed to making F5 products as easy to use as well as flexible.

In short, I am sorry for the bug that you ran into with logrotate and I will work with the WebAccelerator developers to provide a long term solution to your issue. If we have not spoken by the time that you get this email, feel free to drop me a note at j.hicks at f5 dot com .

Thanks,

Joe
rb1980_75708
Nimbostratus
May 07, 2008
update: as expected after installing the latest round of hotfixes, these changes get wiped out. Also, I think they got wiped out when I did a reboot a few days ago. Any suggestions from the F5 folks on how to make this "permanent"?

I suppose I could run a script on startup that copies stuff from a "safe" location back into place.

I'm not really versed in the ways of F5 yet...
rb1980_75708
Nimbostratus
Oct 29, 2008
can I put the commands in /config/startup?
Ilan_Rabinovitc
Nimbostratus
Nov 21, 2008
Have you considered changing the rotation to nightly instead of hourly by moving the cron job from cron.hourly to cron.daily?
rb1980_75708
Nimbostratus
Nov 21, 2008
You need to re-read my previous post: it IS rotating nightly, as called by the logrotate script in cron.daily. But thanks.

Forum Discussion

WA access logs

Recent Discussions

Cookie Persistence configured on VS but no logs

Cisco ISE Load Balancing

What is the use of epsec-package file in APM ?

[APM] - Error: failed to reset strict operations; disconnecting from mcpd

How to backup automation Which BIG IP already integration to BIG IQ CM

Related Content

Access Logs - Invalid Tenant

Reminder: MFA now required to log in to DevCentral

How I did it - "Remote Logging with the F5 XC Global Log Receiver and New Relic"

Check if UCS restore was ok

Global Log Receiver