Apache Rotate Logs and Log Rotate.
david.robillard at gmail.com
Wed Feb 28 16:13:09 UTC 2007
On 2/28/07, Peter Pluta <peter at placidpublishing.net> wrote:
> Hey David, quick question. I found this while doing a bit of reading. Is
> it safe for Syslogd to send a kill -HUP to apache? This site is
> extremely high traffic and I wouldn't want it cutting off users during
> the HUP to rotate the logs. I'm running Apache 2.2.4 and FreeBSD 6.2
> It looks like Apachectl graceful is the only safe way to restart apache.
The article you're refering to is for Apache 1.3.x and you seem to be
Should you want, you can get more detailed information on how Apache
1.3.x handles kill signals here:
It's basically the same for Apache 2.2.x which is covered here:
Having said that, if your site is really busy, then consider changing
the kill signal in newsyslog.conf from -HUP to -USR1 which will
gracefully ask running httpd processes to restart once they have
finished talking to their user. As the article says:
''The USR1 signal causes the parent process to advise the children to
exit after their current request (or to exit immediately if they're
not serving anything). The parent re-reads its configuration files and
re-opens its log files. As each child dies off the parent replaces it
with a child from the new generation of the configuration, which
begins serving new requests immediately.''
Check the man page for newsyslog.conf(5) at
The last field in newsyslog.conf is where you setup which signal is
used. Here's what the man page says:
This optional field specifies the signal number that will be sent
to the daemon process (or to all processes in a process group, if
the U flag was specified). If this field is not present, then a
SIGHUP signal will be sent.
> David Robillard wrote:
> > Hi Peter,
> >> Someone told me that I need to gracefully restart apache for it to make
> >> a new log; and then wait till Apache's memory buffer is emptied to disk
> >> before gziping or bziping the files.
> > Well, I've never had to do this. Newsyslog send a `kill -HUP` to
> > apache's master PID. Which causes Apache to reopen it's log files. For
> > me anyway, the newsyslog configuration I gave you never caused me any
> > problem at all. Keep in mind that you do have to send Apache a -HUP
> > signal, otherwise you'll lose logs when newsyslog rotates them.
> >> Also, is it wise to have logs for each user in their home directory?
> >> Someone told me this is a serious security issue; but I can't see why
> >> it would be.
> > It is a security issue if the user has the rights to login to you
> > machine. If he dosen't, then you shouldn't be worried.
> > But I just don't take that chance and make all of my Apache log files
> > under /usr/local/www/virtalhost1/logs which is not accessible from
> > Apache itself because I setup my DocumentRoot under
> > /usr/local/www/virtalhost1/public_html. This way, I know for sure that
> > everything for virtualhost1 is under a single directory, but that my
> > logs can't be seen by anyone via Apache.
> > David
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
More information about the freebsd-questions