github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-08 05:39:49 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #2644] access.log eating disk space #8966

New Issue
Open
opened 2026-04-30 05:07:54 -05:00 by GiteaMirror · 16 comments
GiteaMirror commented 2026-04-30 05:07:54 -05:00
Owner
Copy Link

Originally created by @svillar on GitHub (Mar 13, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2644

Describe the Bug

After some months of use my access.log is already > 3G. I think traefik config should set size limits and also enable compression

Environment

  • OS Type & Version: (e.g., Ubuntu 22.04)
  • Pangolin Version: latest
  • Gerbil Version: latest
  • Traefik Version: latest
  • Newt Version: latest
  • Olm Version: (if applicable)

To Reproduce

Just run it

Expected Behavior

Logs are limited in size and compressed (and rotated)

Originally created by @svillar on GitHub (Mar 13, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2644 ### Describe the Bug After some months of use my access.log is already > 3G. I think traefik config should set size limits and also enable compression ### Environment - OS Type & Version: (e.g., Ubuntu 22.04) - Pangolin Version: latest - Gerbil Version: latest - Traefik Version: latest - Newt Version: latest - Olm Version: (if applicable) ### To Reproduce Just run it ### Expected Behavior Logs are limited in size and compressed (and rotated)
GiteaMirror added the good first issueImprovementhelp wanted labels 2026-04-30 05:07:55 -05:00
GiteaMirror commented 2026-04-30 05:08:00 -05:00
Author
Owner
Copy Link

@LaurenceJJones commented on GitHub (Mar 13, 2026):

Unfortunately traefik doesn't have log size or rotation feature AFAIK. (Might have changed since I last looked but let me know if I'm wrong)

However, the installer could detect if logrotate is available (99% of the time it is) and scaffold it for you.

<!-- gh-comment-id:4053510834 --> @LaurenceJJones commented on GitHub (Mar 13, 2026): Unfortunately traefik doesn't have log size or rotation feature AFAIK. (Might have changed since I last looked but let me know if I'm wrong) However, the installer could detect if logrotate is available (99% of the time it is) and scaffold it for you.
GiteaMirror commented 2026-04-30 05:08:03 -05:00
Author
Owner
Copy Link

@svillar commented on GitHub (Mar 13, 2026):

wouldn't something like this work

accesslog:
  compress: true
  maxSize: 100

as there is for log (already in the default config)

EDIT: logrotate is in the system but I don't think it works with "unusual" locations. My access log is under config/traefik/logs

<!-- gh-comment-id:4053524213 --> @svillar commented on GitHub (Mar 13, 2026): wouldn't something like this work ``` accesslog: compress: true maxSize: 100 ``` as there is for `log` (already in the default config) EDIT: logrotate is in the system but I don't think it works with "unusual" locations. My access log is under config/traefik/logs
GiteaMirror commented 2026-04-30 05:08:07 -05:00
Author
Owner
Copy Link

@LaurenceJJones commented on GitHub (Mar 13, 2026):

Not sure where you got those from as docs state https://doc.traefik.io/traefik/v3.0/observability/access-logs/#log-rotation

Log and access log have different properties.

<!-- gh-comment-id:4053537530 --> @LaurenceJJones commented on GitHub (Mar 13, 2026): Not sure where you got those from as docs state https://doc.traefik.io/traefik/v3.0/observability/access-logs/#log-rotation Log and access log have different properties.
GiteaMirror commented 2026-04-30 05:08:08 -05:00
Author
Owner
Copy Link

@svillar commented on GitHub (Mar 13, 2026):

Right, replying to myself, that temptative config is wrong and makes traefik fail.

With regard to log rotate it should be a matter of adding a new file to /etc/logrotate.d

Feel free to close it if you think that nothing can be done from pangolin side, maybe adding something to the docs?

<!-- gh-comment-id:4053589796 --> @svillar commented on GitHub (Mar 13, 2026): Right, replying to myself, that temptative config is wrong and makes traefik fail. With regard to log rotate it should be a matter of adding a new file to `/etc/logrotate.d` Feel free to close it if you think that nothing can be done from pangolin side, maybe adding something to the docs?
GiteaMirror commented 2026-04-30 05:08:09 -05:00
Author
Owner
Copy Link

@svillar commented on GitHub (Mar 13, 2026):

However, the installer could detect if logrotate is available (99% of the time it is) and scaffold it for you.

Ah I missed this, could you share a sample config generated by the installer? I already have one but I wonder whether it should stop some service and resume it before/after rotating

<!-- gh-comment-id:4053612197 --> @svillar commented on GitHub (Mar 13, 2026): > However, the installer could detect if logrotate is available (99% of the time it is) and scaffold it for you. Ah I missed this, could you share a sample config generated by the installer? I already have one but I wonder whether it should stop some service and resume it before/after rotating
GiteaMirror commented 2026-04-30 05:08:11 -05:00
Author
Owner
Copy Link

@LaurenceJJones commented on GitHub (Mar 13, 2026):

The community has already answered this question on stackoverflow

https://stackoverflow.com/questions/49450422/how-to-enable-logrotation-for-traefik

but yeah, we can explore options for the installer (its doesnt already do this, my previous message was to say "we can explore options to add it") im sure that the access logs are only configured when using crowdsec.

<!-- gh-comment-id:4054112355 --> @LaurenceJJones commented on GitHub (Mar 13, 2026): The community has already answered this question on stackoverflow https://stackoverflow.com/questions/49450422/how-to-enable-logrotation-for-traefik but yeah, we can explore options for the installer (its doesnt already do this, my previous message was to say "we can explore options to add it") im sure that the access logs are only configured when using crowdsec.
GiteaMirror commented 2026-04-30 05:08:12 -05:00
Author
Owner
Copy Link

@AstralDestiny commented on GitHub (Mar 21, 2026):

Which stuff do you have in your logs settings if I might ask? if you add more stuff to be kept in logging the logs can inflate fast.

<!-- gh-comment-id:4103985026 --> @AstralDestiny commented on GitHub (Mar 21, 2026): Which stuff do you have in your logs settings if I might ask? if you add more stuff to be kept in logging the logs can inflate fast.
GiteaMirror commented 2026-04-30 05:08:14 -05:00
Author
Owner
Copy Link

@TJothiprakash commented on GitHub (Apr 4, 2026):

Hi, I'd like to take a stab at this if no one else is working on it!

My proposed approach:

  • Add a logrotate config file scaffolded by the installer for the Traefik access log at config/traefik/logs/
  • Include a postrotate hook to send SIGUSR1 to the Traefik container so it reopens the log file without a full restart
  • Gate the scaffolding on whether logrotate is available on the host system

Please let me know if this aligns with what you had in mind, or if there are any constraints I should be aware of before I open a PR. Thanks!

<!-- gh-comment-id:4186321113 --> @TJothiprakash commented on GitHub (Apr 4, 2026): Hi, I'd like to take a stab at this if no one else is working on it! My proposed approach: - Add a `logrotate` config file scaffolded by the installer for the Traefik access log at `config/traefik/logs/` - Include a `postrotate` hook to send SIGUSR1 to the Traefik container so it reopens the log file without a full restart - Gate the scaffolding on whether `logrotate` is available on the host system Please let me know if this aligns with what you had in mind, or if there are any constraints I should be aware of before I open a PR. Thanks!
GiteaMirror commented 2026-04-30 05:08:21 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Apr 4, 2026):

A user has made a PR like this before. We ended up not wanting to take
it because we do not want to make the default install config any more
complicated than it needs to be. We want to keep it simple.

Perhaps if the traefik access logs are enabled we should have a detailed
docs page explaining how to manage it? PR welcome for that! :}

<!-- gh-comment-id:4187196102 --> @oschwartz10612 commented on GitHub (Apr 4, 2026): A user has made a PR like this before. We ended up not wanting to take it because we do not want to make the default install config any more complicated than it needs to be. We want to keep it simple. Perhaps if the traefik access logs are enabled we should have a detailed docs page explaining how to manage it? PR welcome for that! :}
GiteaMirror commented 2026-04-30 05:08:23 -05:00
Author
Owner
Copy Link

@LaurenceJJones commented on GitHub (Apr 6, 2026):

Just to point out that access log is only enabled when CrowdSec option is selected from the installer. Maybe even if the installer were to point users in the direction of "Enabling CrowdSec enables access logs if you want to configure log rotation go to XYZ"?

but maybe we can discuss more @oschwartz10612

<!-- gh-comment-id:4191728293 --> @LaurenceJJones commented on GitHub (Apr 6, 2026): Just to point out that access log is _only_ enabled when CrowdSec option is selected from the installer. Maybe even if the installer were to point users in the direction of "Enabling CrowdSec enables access logs if you want to configure log rotation go to XYZ"? but maybe we can discuss more @oschwartz10612
GiteaMirror commented 2026-04-30 05:08:26 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Apr 6, 2026):

Ahh good point @LaurenceJJones. @TJothiprakash I do actually think then
I would be okay with adding this to the Crowdsec docker compose. I dont
have any issues making that install larger and more complicated.

<!-- gh-comment-id:4192127491 --> @oschwartz10612 commented on GitHub (Apr 6, 2026): Ahh good point @LaurenceJJones. @TJothiprakash I do actually think then I would be okay with adding this to the Crowdsec docker compose. I dont have any issues making that install larger and more complicated.
GiteaMirror commented 2026-04-30 05:08:29 -05:00
Author
Owner
Copy Link

@sidd190 commented on GitHub (Apr 18, 2026):

Hii, I have the codebase setup locally.

I'm thinking of approaching this by adding a setupTraefikLogRotate() function to the install/crowdsec.go file. This will write a logrotate file to /etc/logrotate.d/pangolin-traefik pointing at <installDir>/config/traefik/logs/access.log. Or should I add a container approach here, using a small container for the crowdsec compose fragment running logrotate as a cron?

I will update the docs in the documentation repo with a simultaneous PR describing why the log grows, what one might and might not want, and how crowdsec installation was updated if need be.

Does that sound good?

<!-- gh-comment-id:4274310071 --> @sidd190 commented on GitHub (Apr 18, 2026): Hii, I have the codebase setup locally. I'm thinking of approaching this by adding a `setupTraefikLogRotate()` function to the `install/crowdsec.go` file. This will write a logrotate file to `/etc/logrotate.d/pangolin-traefik` pointing at `<installDir>/config/traefik/logs/access.log`. Or should I add a container approach here, using a small container for the crowdsec compose fragment running logrotate as a cron? I will update the docs in the documentation repo with a simultaneous PR describing why the log grows, what one might and might not want, and how crowdsec installation was updated if need be. Does that sound good?
GiteaMirror commented 2026-04-30 05:08:34 -05:00
Author
Owner
Copy Link

@AstralDestiny commented on GitHub (Apr 18, 2026):

Sounds good, Though curious with my deployment (differs from pangolin's orignal) My log file for crowdsec to read is only 185mb and the log goes back 2 years so far. Guess be more curious if the current log is writing additional fields that aren't needed for crowdsec's operation.

<!-- gh-comment-id:4274433775 --> @AstralDestiny commented on GitHub (Apr 18, 2026): Sounds good, Though curious with my deployment (differs from pangolin's orignal) My log file for crowdsec to read is only 185mb and the log goes back 2 years so far. Guess be more curious if the current log is writing additional fields that aren't needed for crowdsec's operation.
GiteaMirror commented 2026-04-30 05:08:37 -05:00
Author
Owner
Copy Link

@sidd190 commented on GitHub (Apr 19, 2026):

Sounds good, Though curious with my deployment (differs from pangolin's orignal) My log file for crowdsec to read is only 185mb and the log goes back 2 years so far. Guess be more curious if the current log is writing additional fields that aren't needed for crowdsec's operation.

Hmmm I tried to go through the fields, but that doesn't seem like the elephant in the room for this problem. I think fields like TLSVersion, TLSCipher, DownstreamContentSize, RetryAttempts, Content-Type header aren't being directly used by the crowdsec detection scenarios, but the major problem is also about the growth due to traffic volume, so logrotate and log size limits will help reduce this and maybe these fields can be dropped in a seperate PR after a green light on what can and can't be reduced maybe?

<!-- gh-comment-id:4275201183 --> @sidd190 commented on GitHub (Apr 19, 2026): > Sounds good, Though curious with my deployment (differs from pangolin's orignal) My log file for crowdsec to read is only 185mb and the log goes back 2 years so far. Guess be more curious if the current log is writing additional fields that aren't needed for crowdsec's operation. Hmmm I tried to go through the fields, but that doesn't seem like the elephant in the room for this problem. I think fields like TLSVersion, TLSCipher, DownstreamContentSize, RetryAttempts, Content-Type header aren't being directly used by the crowdsec detection scenarios, but the major problem is also about the growth due to traffic volume, so logrotate and log size limits will help reduce this and maybe these fields can be dropped in a seperate PR after a green light on what can and can't be reduced maybe?
GiteaMirror commented 2026-04-30 05:08:40 -05:00
Author
Owner
Copy Link

@sidd190 commented on GitHub (Apr 19, 2026):

I've added a paired code - documentation update from what I could understand. Can someone please take a look and review it whenever possible.

<!-- gh-comment-id:4275436661 --> @sidd190 commented on GitHub (Apr 19, 2026): I've added a paired code - documentation update from what I could understand. Can someone please take a look and review it whenever possible.
GiteaMirror commented 2026-04-30 05:08:41 -05:00
Author
Owner
Copy Link

@AstralDestiny commented on GitHub (Apr 19, 2026):

accessLog:
  filePath: "/logs/traefik/access.log"
  fields:
    headers:
      names:
        User-Agent: keep

For me, honestly don't even need User-Agent as I mostly have whitelists contained against traefik's own routers.

<!-- gh-comment-id:4276463603 --> @AstralDestiny commented on GitHub (Apr 19, 2026): ```yml accessLog: filePath: "/logs/traefik/access.log" fields: headers: names: User-Agent: keep ``` For me, honestly don't even need User-Agent as I mostly have whitelists contained against traefik's own routers.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label good first issue help wanted Improvement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#8966
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?