The accesslog in our production environment is growing rather fast after our recent installation of the 'lastbind' overlay. This uncontrolable growth happens only when our two nodes are up and running, if we stop the service in either one of them, this problem stops and logs grow at a normal rate (1 every few days, not seconds).
Our main suspicions are:
1) The new authTimestamp attribute is causing too many 'writes' events, thus making accesslog files grow quickly.
2) There is some replication related issue which makes these logs grow until disk collapse.
# ls -ltrh /logs/accesslog
(...)
-rw------- 1 ldap ldap 10M Ago 12 18:53 log.0000000217
-rw------- 1 ldap ldap 10M Ago 12 18:54 log.0000000218
-rw------- 1 ldap ldap 10M Ago 12 18:54 log.0000000219
-rw------- 1 ldap ldap 10M Ago 12 18:54 log.0000000220
-rw------- 1 ldap ldap 10M Ago 12 18:54 log.0000000221
-rw------- 1 ldap ldap 10M Ago 12 18:54 log.0000000222
-rw------- 1 ldap ldap 10M Ago 12 18:54 log.0000000223
-rw------- 1 ldap ldap 10M Ago 12 18:55 log.0000000224
-rw------- 1 ldap ldap 10M Ago 12 18:55 log.0000000225
-rw------- 1 ldap ldap 10M Ago 12 18:55 log.0000000226
-rw------- 1 ldap ldap 10M Ago 12 18:55 log.0000000227
-rw------- 1 ldap ldap 10M Ago 12 18:55 log.0000000228
-rw------- 1 ldap ldap 10M Ago 12 18:55 log.0000000229
-rw------- 1 ldap ldap 10M Ago 12 18:55 log.0000000230
-rw------- 1 ldap ldap 10M Ago 12 18:56 log.0000000231
#### we stop node 2 ####
-rw------- 1 ldap ldap 10M Ago 16 11:07 log.0000000232
-rw------- 1 ldap ldap 10M Ago 18 12:40 log.0000000233
In case 1)
Since we don't need to log this attribute, but only regular modifications on this object, we would like to exclude this attribute form triggering the log event.
olcAccessLogOldAttr - only allows specifying a positive list of attributes that gets logged no matter whether they changed or not.
We need something like:
dn: olcOverlay={3}accesslog,olcDatabase={5}mdb,cn=config
olcAccessLogOldAttr: !authTimestamp
(a way to specify a list of attribs that never get logged even if they have changed)
Is that possible?
In case 2)
We have checked replication permissions and verified updates of some attributes in one node and the other, but apparently we can't find the cause.
Any suggestions on this particular will be welcome.
Thanks in advance.
Best regards,
---
Oriol Rosa
Security Technical Consultant
SIA Spain, S.A.
orosa@bcn.sia.es