Skip to main content

Anyone ever seen this cron daily logrotate error?

Comments

24 comments

  • verdon
    I'm seeing this too, and also don't see any cause at this time. I find the error message text a little misleading though. I'll let you know if I find anything.
    0
  • Metro2
    Thank you for replying, it really helps to know that I'm not alone in this. I'm still baffled by the error and have checked everything I can think of related to the text in the alerts. I look forward to your updates and I'll post here when I have anything new to add as well.
    0
  • verdon
    I haven't figured out what the error is really telling me yet, but it does look like the mod_sec_audit log is actually rotating.
    0
  • cPanelMichael
    Hello :) You can remove the custom entry at /etc/logrotate.d/modsecurity_log because it's already rotated as of cPanel version 11.50 with the addition of the /usr/local/cpanel/etc/logrotate.d/modsecurity_logs file. Thank you.
    0
  • sneader
    Thanks for this, Michael. I was getting the same errors. One small difference for me... The entry I had to remove was: /etc/logrotate.d/modsecurity_logs Mine was plural in both locations (logs vs log) - Scott
    0
  • cPanelMichael
    Yes, it's possible the custom LogRotate entry will be under a different name, as it's created manually with no standard name. Thank you for the additional details.
    0
  • ramorse
    So, I can just remove the file /etc/logrotate.d/modsecurity_logs or do I edit the file?
    0
  • cPanelMichael
    You can remove it, but you may simply want to remove the entry for "/usr/local/apache/logs/modsec_audit.log" within the file if you use it to rotate other mod_security logs. Thank you.
    0
  • ttremain
    In my case, it's duplicated by the /etc/logrotate.d/httpd file: /usr/local/apache/logs/*log { missingok notifempty sharedscripts compress lastaction /etc/init.d/httpd restart > /dev/null 2>&1 endscript }
    0
  • cPanelMichael
    New In my case, it's duplicated by the /etc/logrotate.d/httpd file:

    You may want to modify that file so that it rotates specific logs instead of all log files in that directory. Keep in mind you can also control rotation for some of the Apache logs via: "WHM Home " Service Configuration " Apache Configuration " Log Rotation" Thank you.
    0
  • sneader
    Michael, I think your solution of removing the file isn't working. cPanel keeps putting the /etc/logrotate.d/modsecurity_logs back into place. I think it is replacing it every time cPanel is updated via upcp. What is a more permanent solution? To summarize, cPanel is trying to rotate modsec_audit.log in TWO places: /usr/local/cpanel/etc/logrotate.d/modsecurity_logs /etc/logrotate.d/modsecurity_logs Attempts to remove the 2nd file results in a temporary solution, until cPanel puts it back again. - Scott
    0
  • Metro2
    Michael, I think your solution of removing the file isn't working. cPanel keeps putting the /etc/logrotate.d/modsecurity_logs back into place. I think it is replacing it every time cPanel is updated via upcp. What is a more permanent solution? To summarize, cPanel is trying to rotate modsec_audit.log in TWO places: /usr/local/cpanel/etc/logrotate.d/modsecurity_logs /etc/logrotate.d/modsecurity_logs Attempts to remove the 2nd file results in a temporary solution, until cPanel puts it back again. - Scott

    Same here.
    0
  • cPanelMichael
    I've opened internal case number CPANEL-2114 to determine if there's any specific reason why this log file is configured for rotation in multiple locations. I will update this thread with more information as it becomes available. In the meantime, can you confirm that you still receive the email warning notification, even when it's just these two logrotate configurations in place? Thank you.
    0
  • cPanelKenneth
    The duplicate log entry message is logrotate's way of informing you that two or more configuration files are trying to rotate the same log. Please check the other logrotate configuration files for another that manages files in /usr/local/apache/logs. Also, the files in /usr/local/cpanel/etc/logrotate.d/ are not used by logrotate. During upcp they get copied into /etc/logrotate.d.
    0
  • Metro2
    In the meantime, can you confirm that you still receive the email warning notification, even when it's just these two logrotate configurations in place?

    Hi cPanelMichael, In case this information helps: Ever morning around 5am EDT I receive the following email notice from root Cron Daemon: Cron run-parts /etc/cron.daily /etc/cron.daily/logrotate: error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_ audit.log error: found error in /usr/local/apache/logs/modsec_audit.log, skipping The contents of my /etc/logrotate.d/modsecurity_logs file is this: /usr/local/apache/logs/modsec_audit.log { rotate 15 size=300M missingok compress postrotate /usr/local/cpanel/scripts/restartsrv_httpd 2> /dev/null > /dev/null || true endscript } /etc/logrotate.d/modsecurity_logs (END) My WHM > Service Configuration > Apache Configuration > Log Rotation looks like this: Apache Log Rotation Configuration Files from /usr/local/apache/logs selected below will be rotated based upon their size. The rotated files will be compressed and stored in /usr/local/apache/logs/archive/. The files are named to include the month in which they are rotated. Consequently, the file names do not relate in any way to the content of the file being rotated. Files are only rotated when they grow larger than the WHM >> Tweak Settings >> Log Rotation Size Threshold or the default of 300MB. The archived log files are left in place indefinitely. Files not chosen here will not ever be rotated by cPanel software. Checked - access_log (in rotation) Checked - error_log (in rotation) Not Checked - modsec_debug_log Checked - suexec_log (in rotation) Not Checked - suexec_log.offset Checked - suphp_log (in rotation) My WHM Server Configuration > Tweak Settings > Log Rotation Size Threshold set: Log rotation size threshold - 50MB So it seems a little strange that even though I've had "Log rotation size threshold" set to 50MB for over a year now, and even though I've removed the /etc/logrotate.d/modsecurity_logs file, it keeps coming back and it keeps populating with that /usr/local/apache/logs/modsec_audit.log along with size=300M parameter. I've checked the contents of every file in /etc/logrotate.d and the only one with anything appearing related to this is /etc/logrotate.d/modsecurity_logs Is there anything else I can check for you to provide you with more info that might help? Thank you guys for helping look into this!
    0
  • cPanelMichael
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.
    0
  • sneader
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Ticket #7360209 opened. - Scott
    0
  • sneader
    Update on my situation: Thanks to Brian D. at cPanel support, I believe we have this sorted out. It is helpful to know that there are 3 different places/things to look at, for log rotation. One you look at all of these, you are bound to find the culprit, responsible for the duplicate attempts to rotate a certain log: WHM -> Apache Configuration -> Log Rotation: Uses cpanellogd to Rotate logs (if selected) in /usr/local/apache/logs/ WHM -> cPanel Log rotation Configuration: Uses cpanellogd to Rotate logs (if selected) in /usr/local/cpanel/logs/ Logrotate Utility: Queued up to run via cron in /etc/cron.daily/logrotate Initial configuration of Logrotate is done in /etc/logrotate.conf The Logrotate utility reads config files inside /etc/logrotate.d/ and rotates according to the data in those config files. In my case, Brian tracked my problem down to TWO entries in /etc/logrotate.d/ that were conflicting:
      ]
    • I had a file called /etc/logrotate.d/httpd and inside that file, it was rotating "/usr/local/apache/logs/*log". Notice the asterisk! So, that one file was trying to rotate EVERY file in /usr/local/apache/logs/ that ended with log.
    • cPanel added a new file in 11.50 called /etc/logrotate.d/modsecurity_logs, and inside that file it rotates "/usr/local/apache/logs/modsec_audit.log".
    As you can see, these are conflicting.... they both matched /usr/local/apache/logs/modsec_audit.log. My solution was to remove /etc/logrotate.d/httpd, as we believe that all log files in /usr/local/apache/logs/ are already being rotated via the configuration in "WHM -> Apache Configuration -> Log Rotation", with the exception of modsec_audit.log, which is rotated via "/etc/logrotate.d/modsecurity_logs". I am not sure why cPanel doesn't just add a modsec_audit.log checkbox to "WHM -> Apache Configuration -> Log Rotation", but there you go! Problem solved. - Scott
    0
  • cPanelMichael
    I had a file called /etc/logrotate.d/httpd and inside that file, it was rotating "/usr/local/apache/logs/*log". Notice the asterisk! So, that one file was trying to rotate EVERY file in /usr/local/apache/logs/ that ended with log.

    I am happy to see the issue is now resolved. Thank you for updating us with the outcome.
    0
  • Metro2
    Thanks for taking the time for the detailed reply sneader / Scott. Much appreciated. Based on your post I've done this: mv /etc/logrotate.d/httpd /etc/logrotate.d/httpd_BACKUP And will see how it works out after a couple days. One thing that I've discovered since I started this thread - recently a bit over a month ago I added a new server to my network and it ran for 3 weeks without any occurrence of this issue. Then I had the CSF/LFD & Mailscanner scripts package installed, and the very next day started getting these alerts. Now, I'm not blaming the CSF packages and indeed it's an excellent product that I wouldn't live without, but my experience would suggest that it might be somehow somehow related.
    0
  • verdon
    Update on my situation: Thanks to Brian D. at cPanel support, I believe we have this sorted out. My solution was to remove /etc/logrotate.d/httpd, as we believe that all log files in /usr/local/apache/logs/ are already being rotated via the configuration in "WHM -> Apache Configuration -> Log Rotation", with the exception of modsec_audit.log, which is rotated via "/etc/logrotate.d/modsecurity_logs". I am not sure why cPanel doesn't just add a modsec_audit.log checkbox to "WHM -> Apache Configuration -> Log Rotation", but there you go! Problem solved. - Scott

    What's interesting about this... I just went to look over my server, to compare it to your experience. When looking at "WHM -> Apache Configuration -> Log Rotation" there's a message that says in part... "The rotated files will be compressed and stored in /usr/local/apache/logs/archive/" although everything appears to be configured properly, there is in fact no directory /usr/local/apache/logs/archive/ on my server, and it seems to me that the only compressed and backed logs I have are the ones being created by the configuration in /etc/logrotate.d/httpd which are stored in /usr/local/apache/logs/. You should check yours to be sure you are actually getting rotation, now that you have removed /etc/logrotate.d/httpd. In my case, it seems I would not.
    0
  • cPanelMichael
    "The rotated files will be compressed and stored in /usr/local/apache/logs/archive/" although everything appears to be configured properly, there is in fact no directory /usr/local/apache/logs/archive/

    The logs won't rotate if they have not reached the configured threshold size, which is possible if they are manually configured to rotate through LogRotate itself. Thank you.
    0
  • Rakibur Rahman
    I am getting following error daily: /etc/cron.daily/logrotate: error: mysqld:21 duplicate log entry for /var/lib/mysql/mysqld.log /etc/cron.daily/logrotate looks like below
    #!/bin/sh export TMPDIR=/var/spool/logrotate/tmp /usr/sbin/logrotate /etc/logrotate.conf EXITVALUE=$? if [ $EXITVALUE != 0 ]; then /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]" fi exit 0
    0
  • cPanelMichael
    error: mysqld:21 duplicate log entry for /var/lib/mysql/mysqld.log

    The /etc/logrotate.d/mysql file should handle the MySQL log rotation configuration automatically. Are you rotating this log file with additional rules in the /etc/cron.daily/logrotate file, or in any other custom logrotate configuration file? Thank you.
    0

Please sign in to leave a comment.