Log rotation and virtual hosts

I manage a web site for a professional society that has a few dozen
active subdivisions. Each subdivision gets its own virtual host. To
date, we've simply combined their logs with the logs from the main
site. Now some subidivisions want to manage their own logs. It's
trivial to setup Apache to log the activity for each subdivision into
the subdivision's own log directory.

The problem comes when it's time to rotate the logs. This normally
requires restarting the web server. I could give each virtual host
manager a sudo script that would restart the server. I'd rather find
a cleaner solution.

Any suggestions of a cleaner way to do this?

What do the commercial web space providers do?
--
Brian Borchers borchers@nmt.edu
Department of Mathematics http://www.nmt.edu/~borchers/
New Mexico Tech Phone: 505-835-5813
Socorro, NM 87801 FAX: 505-835-5366


-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 80,000 Newsgroups - 16 Different Servers! =-----

borchers@rainbow.nmt.edu (Brian Borchers) writes:
> The problem comes when it's time to rotate the logs. This normally
> requires restarting the web server. I could give each virtual host
> manager a sudo script that would restart the server. I'd rather find
> a cleaner solution.

That opens you up to the possibility of a DoS attack (and maybe other
security vulnerabilities) unless you're very careful, so a cleaner
solution is good.

> Any suggestions of a cleaner way to do this?
>
> What do the commercial web space providers do?

No idea what the commercial ones do, but on a box I have with a lot of
separately logged vhosts, the logrotate script for apache contains
logrotate instructions for each vhost's logfile, and uses shared
scripts on postrotate to restart the server.

In /etc/logrotate.d/apache:
/var/log/apache/vhost1/*.log {
weekly
missingok
rotate 4
compress
notifempty
create 640 root vhost1
sharedscripts
postrotate
/etc/init.d/apache reload > /dev/null
endscript
}
/var/log/apache/vhost2/*.log {
weekly
missingok
rotate 4
compress
notifempty
create 640 root vhost2
sharedscripts
postrotate
/etc/init.d/apache reload > /dev/null
endscript
}

And that's it. If your vhosted people want to do their own log
rotation, then they can tell *you* how many to keep, daily, weekly or
monthly, etc. and you can make the changes to the central file - no
need to have them all on the same parameters.

The file's from a Debian distribution, by the way, but I can't imagine
it'd be *much* different on any Unix/Linux distribution with a decent
logrotate program.

The postrotate script can probably be replaced with 'apachectl
graceful' or similar if you prefer, though I've not tested that.

You then make /home/vhost1owner/weblogs/ a symlink to
/var/log/apache/vhost1/ and set up permissions so they can read but
not write (already in the example).

--
Chris