OK! So after about 2 dozen emails back and forth with support I finally have a workable solution. Thanks to all who contributed.
Let me recap:
My goal was to be able to control my own access log rotation however I wanted to, without being locked into F5's defaults.
After applying the Hotfix-BIG-IP-9.4.3-HF2 which fixed the 'bug' with the wrong path, the WA access logs were now included in the hourly rotation schedule and configured to rotate at 10MB. This was not ideal in my setup so I pressed on for a better solution.
Turns out it was not that hard, just mainly my lack of understanding of how the WA manages the config files.
So here is the solution I came up with that I am happy with.
NOTE: This configuration is not offically sanctioned by F5 and may be wiped out by future upgrades. Use at your own risk.
1. Edit
/usr/share/defaults/config/templates/warotate.tmpl and remove the
/var/log/wa/access/*.log filespec.
2. Run:
bigpipe logrotate wa include \"blah\" (this is a hack to get it to regenerate the wa conf files)
3. Regenerate the configs with:
bigpipe save all
4. Create a standard logrotate conf file here:
/var/run/config/logrotate.d/wa_access with your custom settings. Here is mine:
/var/log/wa/access/*.log {
compress
ifempty
rotate 7
daily
olddir /var/log/wa/access/archive
sharedscripts
postrotate
/bin/kill -HUP `/sbin/pidof -s pvac 2> /dev/null` 2> /dev/null || true
cd /var/log/wa/access/archive;for i in `ls -1 *.1.gz`;do /usr/bin/scp $i user@host:/destdir/`date -r $i +%Y%m%d`-$i;done
endscript
}
5. You need to
mkdir /var/log/wa/access/archive
6. Check your config by running:
logrotate -d /etc/logrotate.conf
Note: Because I opted for a daily rotation in this case, the default logrotate script that gets called in /etc/cron.daily will pick up the wa_access file from /var/run/config/logrotate.d. If you wanted to run hourly rotation, you'd be better off following the method in SOL8320 and adding it to the wa include section.
I just put together this configuration today and haven't yet let it run on it's own, but it looks good on the debug check. I will come back and modify the post if it needs any tweaks. The only thing I am not sure about is whether or not I will leave it in cron.daily, since this gets run at 04:02. Because I'm anal, I might change it to run in a seperate crontab at midnight or just change the time in /etc/crontab.