anacron daily error logrotate
hi ,
1 of my boxes sometime shows error on cron daily
i have no idea what is
/etc/cron.daily/logrotate:
error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_audit.log
error: found error in file modsecurity_logs, skipping
you think this need more investigation?
-
What is the first line in the file of /usr/local/apache/logs/modsec_audit.log? 0 -
here it is --bc6b857b-A-- [22/Mar/2021:17:18:24 +0100] YFjDP5lc4aiiIO2SDMim@wAAAMw xxxxxxxxxx57974 51.255.136.87 80 --bc6b857b-B-- HEAD /wp-config.php~ HTTP/1.1 Host: xxxxxxxxxxxxx.it thanks 0 -
my bad sorry...what is the content of "modsecurity_logs" file? 0 -
Our configuration file should be at /usr/local/cpanel/etc/logrotate.d/modsecurity_logs. Can you post the contents of that? 0 -
thanks for help . here is it /usr/local/apache/logs/modsec_audit.log { rotate 15 size=300M missingok compress postrotate /usr/local/cpanel/scripts/restartsrv_httpd &> /dev/null || true /usr/local/cpanel/scripts/restartsrv_tailwatchd &> /dev/null || true endscript } 0 -
Can you remove "/usr/local/apache/logs/modsec_audit.log" from that file and leave only this? { rotate 15 size=300M missingok compress postrotate /usr/local/cpanel/scripts/restartsrv_httpd &> /dev/null || true /usr/local/cpanel/scripts/restartsrv_tailwatchd &> /dev/null || true endscript } 0 -
@andrew.n - that actually looks like the default file, so it's likely something else happening. @leonep - it might be a good idea to open a ticket for this one to have us check. 0 -
the solution is very simple (thanks to cpanel support :) ) i append here, i hope it help someone: The error is reporting that two different configurations are trying to rotate the same file: [12:58:20 gemini root@94359182 /etc/logrotate.d]cPs# grep '/usr/local/apache/logs/modsec_audit.log' * httpd:/usr/local/apache/logs/modsec_audit.log modsecurity_logs:/usr/local/apache/logs/modsec_audit.log { Shown above, both the httpd and modsecurity_logs configurations are attempting to rotate this log, however, the second attempt is being skipped. If you'd like to remove this warning, you can remove the second check: mv /etc/logrotate.d/modsecurity_logs /root/modsecurity_logs.logrotate.bak thanks 0 -
Thanks for posting that! 0 -
Thanks for posting this solution, it helped me solve the very same issue today. 0 -
Actually, no it didn't fix it permanently. I've executed mv /etc/logrotate.d/modsecurity_logs /root/modsecurity_logs.logrotate.bak twice now and then it happens again. Is there a script that would replace the /etc/logrotate.d/modsecurity_logs file if it is missing? That's what's happening here. The notification is only an inconvenience though as I can see the log file itself is being rotated. Thanks. 0 -
Hey there! Yes, the nightly update would replace that file if it is missing. Can you run the following command so we can see where the duplicate entry is? grep '/usr/local/apache/logs/modsec_audit.log' /etc/logrotate.d/*
0 -
Thanks @cPRex Here's the output: grep '/usr/local/apache/logs/modsec_audit.log' /etc/logrotate.d/* /etc/logrotate.d/httpd:/usr/local/apache/logs/modsec_audit.log /etc/logrotate.d/modsecurity_logs:/usr/local/apache/logs/modsec_audit.log {
Cheers.0 -
By default, it seems we actually don't include the httpd section in logrotate. Can you try removing that modsec audit line from the httpd file instead, and then running "/scripts/upcp --force" to ensure that doesn't get recreated? 0 -
@cPRex that did the trick, thank you. 0 -
Glad to hear it! 0
Please sign in to leave a comment.
Comments
16 comments