Most especially on Windows where usage of SIGUSR1 is not an option, we should document the idea of creating a user that only has the logRotate privilege to be used by a scheduled task that initiates log rotation.

A possible option would be to create a user with a user defined role that only allows the logRotate privilege. This way, even if the password were compromised, the only thing a malicious user could accomplish was running the logRotate command.

For example, the commands below can be run in a MongoDB Shell to create a user defined role and a user who has that role assigned.

// create a user defined role that only permits log rotation
db.adminCommand({ createRole: "logrotate",  privileges: [ { resource: { cluster: true }, actions: [ "logRotate" ] } ], roles: []  } ) 

// create a user that has the logrotate role assigned
db.createUser({user: "logrotateUser", pwd: "password", roles: [ { role: "logrotate", db: "admin"} ] } )

Unfortunately, this mechanism can not currently be used for an arbiter as it does not have a copy of the admin database so you can not authenticate when connecting to it. We do have an open enhancement request to implement this feature.

The relevant tickets are:

SERVER-23443 - this describes the behavior we want. It was closed as a duplicate of SERVER-5479
SERVER-5479 - includes other aspects as well