Skip to main content

anacron daily error logrotate

Comments

16 comments

  • andrew.n
    What is the first line in the file of /usr/local/apache/logs/modsec_audit.log?
    0
  • leonep
    here it is --bc6b857b-A-- [22/Mar/2021:17:18:24 +0100] YFjDP5lc4aiiIO2SDMim@wAAAMw xxxxxxxxxx57974 51.255.136.87 80 --bc6b857b-B-- HEAD /wp-config.php~ HTTP/1.1 Host: xxxxxxxxxxxxx.it thanks
    0
  • andrew.n
    my bad sorry...what is the content of "modsecurity_logs" file?
    0
  • cPRex Jurassic Moderator
    Our configuration file should be at /usr/local/cpanel/etc/logrotate.d/modsecurity_logs. Can you post the contents of that?
    0
  • leonep
    thanks for help . here is it /usr/local/apache/logs/modsec_audit.log { rotate 15 size=300M missingok compress postrotate /usr/local/cpanel/scripts/restartsrv_httpd &> /dev/null || true /usr/local/cpanel/scripts/restartsrv_tailwatchd &> /dev/null || true endscript }
    0
  • andrew.n
    Can you remove "/usr/local/apache/logs/modsec_audit.log" from that file and leave only this? { rotate 15 size=300M missingok compress postrotate /usr/local/cpanel/scripts/restartsrv_httpd &> /dev/null || true /usr/local/cpanel/scripts/restartsrv_tailwatchd &> /dev/null || true endscript }
    0
  • cPRex Jurassic Moderator
    @andrew.n - that actually looks like the default file, so it's likely something else happening. @leonep - it might be a good idea to open a ticket for this one to have us check.
    0
  • leonep
    the solution is very simple (thanks to cpanel support :) ) i append here, i hope it help someone: The error is reporting that two different configurations are trying to rotate the same file: [12:58:20 gemini root@94359182 /etc/logrotate.d]cPs# grep '/usr/local/apache/logs/modsec_audit.log' * httpd:/usr/local/apache/logs/modsec_audit.log modsecurity_logs:/usr/local/apache/logs/modsec_audit.log { Shown above, both the httpd and modsecurity_logs configurations are attempting to rotate this log, however, the second attempt is being skipped. If you'd like to remove this warning, you can remove the second check: mv /etc/logrotate.d/modsecurity_logs /root/modsecurity_logs.logrotate.bak thanks
    0
  • cPRex Jurassic Moderator
    Thanks for posting that!
    0
  • bloatedstoat
    Thanks for posting this solution, it helped me solve the very same issue today.
    0
  • bloatedstoat
    Actually, no it didn't fix it permanently. I've executed mv /etc/logrotate.d/modsecurity_logs /root/modsecurity_logs.logrotate.bak twice now and then it happens again. Is there a script that would replace the /etc/logrotate.d/modsecurity_logs file if it is missing? That's what's happening here. The notification is only an inconvenience though as I can see the log file itself is being rotated. Thanks.
    0
  • cPRex Jurassic Moderator
    Hey there! Yes, the nightly update would replace that file if it is missing. Can you run the following command so we can see where the duplicate entry is? grep '/usr/local/apache/logs/modsec_audit.log' /etc/logrotate.d/*
    0
  • bloatedstoat
    Thanks @cPRex Here's the output: grep '/usr/local/apache/logs/modsec_audit.log' /etc/logrotate.d/* /etc/logrotate.d/httpd:/usr/local/apache/logs/modsec_audit.log /etc/logrotate.d/modsecurity_logs:/usr/local/apache/logs/modsec_audit.log {
    Cheers.
    0
  • cPRex Jurassic Moderator
    By default, it seems we actually don't include the httpd section in logrotate. Can you try removing that modsec audit line from the httpd file instead, and then running "/scripts/upcp --force" to ensure that doesn't get recreated?
    0
  • bloatedstoat
    @cPRex that did the trick, thank you.
    0
  • cPRex Jurassic Moderator
    Glad to hear it!
    0

Please sign in to leave a comment.