Rotating the log of an unprivileged OpenVPN

[Keve Nagy]

Good Morning Everyone,
I am having trouble rotating the log file of an OpenVPN service and
could use your suggestions.
The service is configured to drop privileges and run as "nobody" after
initialization. But this does not appear to be the problem, as tests
with world writable new log files fail too.
I wanted to use newsyslog to rotate the log once it reaches a certain
size. The log is rotated exactly as I expect, but the new empty log file
does not grow. After the point of rotation OpenVPN does not log.
I tried signaling the OpenVPN process to recognize the new log file, but
I did not really find a way this could be done. Looks like OpenVPN
simply does not have the capability to start logging to a new log file
while all existing connections are kept.
The documentation refers to SIGUSR1, but sending that signal to the VPN
process after rotating the log file did not start logging to the empty
file. Sending a SIGHUP stops the VPN service and does not restart it.
Calling "/usr/local/etc/rc.d/openvpn reload" does not start logging to
the new file either. Restarting the service immediately starts logging
to the new log file, but it also drops all existing connections which do
not get reconnected automatically but time out on the client side.

One way I managed to get it working as expected was to use my own script
that resets the size of the overgrown log file to zero. Then, the
emptied file kept receiving the messages from OpenVPN. However, I would
prefer to leave all the job to newsyslog, rather than having a script
called from cron that copies the log contents to another file which gets
rotated by newsyslog while the script resets the size of the original
log file to zero.

Any suggestions on what to try to get a running OpenVPN writing to a new
empty log file is appreciated.

Regards,
Keve Nagy * Debrecen * Hungary
--
to contact me directly:
keve(at)safe-mail(dot)net

[Torfinn Ingolfsen]

On 11/26/2013 09:18, Keve Nagy wrote:
>
> Any suggestions on what to try to get a running OpenVPN writing to a new
> empty log file is appreciated.

What happens if you force OpenVPN to log via syslog?
Does it work then?

--
Torfinn Ingolfsen,
Norway

[Keve Nagy]

Torfinn Ingolfsen wrote:
> On 11/26/2013 09:18, Keve Nagy wrote:
>>
>> Any suggestions on what to try to get a running OpenVPN writing to a new
>> empty log file is appreciated.
>
> What happens if you force OpenVPN to log via syslog?
> Does it work then?
>

If I configure OpenVPN to log via syslogd and I also configure newsyslog
to signal syslogd upon log rotation, then it works fine.
I was still hoping to avoid the use of the extra gear of syslogd in the
mechanics of the solution. But I will use it if no other solution works.

Regards,
Keve

[Balwinder S Dheeman]

On 11/28/2013 11:11 PM, Keve Nagy wrote:
> Torfinn Ingolfsen wrote:
>> On 11/26/2013 09:18, Keve Nagy wrote:
>>>
>>> Any suggestions on what to try to get a running OpenVPN writing to a new
>>> empty log file is appreciated.
>>
>> What happens if you force OpenVPN to log via syslog?
>> Does it work then?
>>
>
> If I configure OpenVPN to log via syslogd and I also configure newsyslog
> to signal syslogd upon log rotation, then it works fine.
> I was still hoping to avoid the use of the extra gear of syslogd in the
> mechanics of the solution. But I will use it if no other solution works.

BTW, you should not be surprised that the beauty of Free/Open Source
Software (FOSS) is you yourself can add the needful features to it or
get the same easily done by someone who is expert in doing such kind of
programming either for free or on paying a nominal fee.

--
Balwinder S "bdheeman" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Plan9, T2, Debian/FreeBSD/Porteus/XP
Home: http://werc.homelinux.net/ Visit: http://counter.li.org/

[Mikhail T.]

On 28.11.2013 12:41, Keve Nagy wrote:
> I was still hoping to avoid the use of the extra gear of syslogd in the
> mechanics of the solution. But I will use it if no other solution works.

In my opinion, going through syslogd should be the preferred solution --
whenever possible. That's because syslog.conf's syntax allows a number of
interesting things to be done to each message -- or a subset of them:

* suppress duplicate messages, that various programs begin to spout (at
high rates) once in a while;
* forward to a different host -- such as for automated analysis,
aggregation and archiving;
* store entries in multiple files -- which can then be processed by
different rules;
* broadcast to logged-in users;
* pipe into programs -- with all the freedom that entails.

Though with the original syslogd-implementations one's ability to filter
messages was limited to the enumerated "facilities" (such as "news" or "local1")
and log-levels, the FreeBSD implementation today let's you sort messages by the
"tag" (which is, typically, the name of the originating program). You can also
deal differently with messages originating from different hosts. For example,
here are bits from my current syslog.conf:

# Write whatever Varnish has to say into a single file:
!varnishd
*.* /var/log/varnish.log
# Configure Drupal's syslogd module to tag messages as "drupal"
!drupal
*.* /var/log/drupal.log
...
# Tell your router to send log-entries to your loghost:
+router
*.* /var/log/router.log

Even if you don't need any of these features in your application today, you are
likely to want (or even need!) some of them later. syslogd is already running on
your systems -- there is no overhead or other additional costs to using it.

-mi