Anyone ever seen this cron daily logrotate error?
Right around July 11th after a cPanel update I started to experience some unusual issues / notices from my servers, and this one still has me chasing my tail.
I'm wondering if anyone else here has ever encountered this - each day I receive an email notice from Cron run-parts /etc/cron.daily with the following error:
/etc/cron.daily/logrotate:
error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_audit.log
error: found error in /usr/local/apache/logs/modsec_audit.log, skipping
Trying to avoid submitting a ticket to cPanel support if I can so I'm checking here in hopes that someone recognizes this issue and knows the solution.
I've checked a few things in /etc/logrotated.conf and /etc/logrotate.d/ and as far as I can tell, nothing unusual.
The /etc/logrotate.conf looks like this:
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
minsize 1M
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
/var/lib/mysql/metro9-slow.log {
missingok
weekly
minsize 1M
create 0660 mysql mysql
rotate 4
}
And /etc/logrotate.d/modsecurity_log looks like this:
/usr/local/apache/logs/modsec_audit.log {
rotate 15
size=300M
missingok
compress
postrotate
/usr/local/cpanel/scripts/restartsrv_httpd 2> /dev/null > /dev/null || true
endscript
}
Anyone else ever run into this?
-
I'm seeing this too, and also don't see any cause at this time. I find the error message text a little misleading though. I'll let you know if I find anything. 0 -
Thank you for replying, it really helps to know that I'm not alone in this. I'm still baffled by the error and have checked everything I can think of related to the text in the alerts. I look forward to your updates and I'll post here when I have anything new to add as well. 0 -
I haven't figured out what the error is really telling me yet, but it does look like the mod_sec_audit log is actually rotating. 0 -
Hello :) You can remove the custom entry at /etc/logrotate.d/modsecurity_log because it's already rotated as of cPanel version 11.50 with the addition of the /usr/local/cpanel/etc/logrotate.d/modsecurity_logs file. Thank you. 0 -
Thanks for this, Michael. I was getting the same errors. One small difference for me... The entry I had to remove was: /etc/logrotate.d/modsecurity_logs Mine was plural in both locations (logs vs log) - Scott 0 -
Yes, it's possible the custom LogRotate entry will be under a different name, as it's created manually with no standard name. Thank you for the additional details. 0 -
So, I can just remove the file /etc/logrotate.d/modsecurity_logs or do I edit the file? 0 -
You can remove it, but you may simply want to remove the entry for "/usr/local/apache/logs/modsec_audit.log" within the file if you use it to rotate other mod_security logs. Thank you. 0 -
In my case, it's duplicated by the /etc/logrotate.d/httpd file: /usr/local/apache/logs/*log { missingok notifempty sharedscripts compress lastaction /etc/init.d/httpd restart > /dev/null 2>&1 endscript } 0 -
New In my case, it's duplicated by the /etc/logrotate.d/httpd file:
You may want to modify that file so that it rotates specific logs instead of all log files in that directory. Keep in mind you can also control rotation for some of the Apache logs via: "WHM Home " Service Configuration " Apache Configuration " Log Rotation" Thank you.0 -
Michael, I think your solution of removing the file isn't working. cPanel keeps putting the /etc/logrotate.d/modsecurity_logs back into place. I think it is replacing it every time cPanel is updated via upcp. What is a more permanent solution? To summarize, cPanel is trying to rotate modsec_audit.log in TWO places: /usr/local/cpanel/etc/logrotate.d/modsecurity_logs /etc/logrotate.d/modsecurity_logs Attempts to remove the 2nd file results in a temporary solution, until cPanel puts it back again. - Scott 0 -
Michael, I think your solution of removing the file isn't working. cPanel keeps putting the /etc/logrotate.d/modsecurity_logs back into place. I think it is replacing it every time cPanel is updated via upcp. What is a more permanent solution? To summarize, cPanel is trying to rotate modsec_audit.log in TWO places: /usr/local/cpanel/etc/logrotate.d/modsecurity_logs /etc/logrotate.d/modsecurity_logs Attempts to remove the 2nd file results in a temporary solution, until cPanel puts it back again. - Scott
Same here.0 -
I've opened internal case number CPANEL-2114 to determine if there's any specific reason why this log file is configured for rotation in multiple locations. I will update this thread with more information as it becomes available. In the meantime, can you confirm that you still receive the email warning notification, even when it's just these two logrotate configurations in place? Thank you. 0 -
The duplicate log entry message is logrotate's way of informing you that two or more configuration files are trying to rotate the same log. Please check the other logrotate configuration files for another that manages files in /usr/local/apache/logs. Also, the files in /usr/local/cpanel/etc/logrotate.d/ are not used by logrotate. During upcp they get copied into /etc/logrotate.d. 0 -
In the meantime, can you confirm that you still receive the email warning notification, even when it's just these two logrotate configurations in place?
Hi cPanelMichael, In case this information helps: Ever morning around 5am EDT I receive the following email notice from root Cron Daemon: Cron run-parts /etc/cron.daily /etc/cron.daily/logrotate: error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_ audit.log error: found error in /usr/local/apache/logs/modsec_audit.log, skipping The contents of my /etc/logrotate.d/modsecurity_logs file is this: /usr/local/apache/logs/modsec_audit.log { rotate 15 size=300M missingok compress postrotate /usr/local/cpanel/scripts/restartsrv_httpd 2> /dev/null > /dev/null || true endscript } /etc/logrotate.d/modsecurity_logs (END) My WHM > Service Configuration > Apache Configuration > Log Rotation looks like this: Apache Log Rotation Configuration Files from /usr/local/apache/logs selected below will be rotated based upon their size. The rotated files will be compressed and stored in /usr/local/apache/logs/archive/. The files are named to include the month in which they are rotated. Consequently, the file names do not relate in any way to the content of the file being rotated. Files are only rotated when they grow larger than the WHM >> Tweak Settings >> Log Rotation Size Threshold or the default of 300MB. The archived log files are left in place indefinitely. Files not chosen here will not ever be rotated by cPanel software. Checked - access_log (in rotation) Checked - error_log (in rotation) Not Checked - modsec_debug_log Checked - suexec_log (in rotation) Not Checked - suexec_log.offset Checked - suphp_log (in rotation) My WHM Server Configuration > Tweak Settings > Log Rotation Size Threshold set: Log rotation size threshold - 50MB So it seems a little strange that even though I've had "Log rotation size threshold" set to 50MB for over a year now, and even though I've removed the /etc/logrotate.d/modsecurity_logs file, it keeps coming back and it keeps populating with that /usr/local/apache/logs/modsec_audit.log along with size=300M parameter. I've checked the contents of every file in /etc/logrotate.d and the only one with anything appearing related to this is /etc/logrotate.d/modsecurity_logs Is there anything else I can check for you to provide you with more info that might help? Thank you guys for helping look into this!0 -
Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.
Ticket #7360209 opened. - Scott0 -
Update on my situation: Thanks to Brian D. at cPanel support, I believe we have this sorted out. It is helpful to know that there are 3 different places/things to look at, for log rotation. One you look at all of these, you are bound to find the culprit, responsible for the duplicate attempts to rotate a certain log: WHM -> Apache Configuration -> Log Rotation: Uses cpanellogd to Rotate logs (if selected) in /usr/local/apache/logs/ WHM -> cPanel Log rotation Configuration: Uses cpanellogd to Rotate logs (if selected) in /usr/local/cpanel/logs/ Logrotate Utility: Queued up to run via cron in /etc/cron.daily/logrotate Initial configuration of Logrotate is done in /etc/logrotate.conf The Logrotate utility reads config files inside /etc/logrotate.d/ and rotates according to the data in those config files. In my case, Brian tracked my problem down to TWO entries in /etc/logrotate.d/ that were conflicting: - ]
- I had a file called /etc/logrotate.d/httpd and inside that file, it was rotating "/usr/local/apache/logs/*log". Notice the asterisk! So, that one file was trying to rotate EVERY file in /usr/local/apache/logs/ that ended with log.
- cPanel added a new file in 11.50 called /etc/logrotate.d/modsecurity_logs, and inside that file it rotates "/usr/local/apache/logs/modsec_audit.log".
0 -
I had a file called /etc/logrotate.d/httpd and inside that file, it was rotating "/usr/local/apache/logs/*log". Notice the asterisk! So, that one file was trying to rotate EVERY file in /usr/local/apache/logs/ that ended with log.
I am happy to see the issue is now resolved. Thank you for updating us with the outcome.0 -
Thanks for taking the time for the detailed reply sneader / Scott. Much appreciated. Based on your post I've done this: mv /etc/logrotate.d/httpd /etc/logrotate.d/httpd_BACKUP And will see how it works out after a couple days. One thing that I've discovered since I started this thread - recently a bit over a month ago I added a new server to my network and it ran for 3 weeks without any occurrence of this issue. Then I had the CSF/LFD & Mailscanner scripts package installed, and the very next day started getting these alerts. Now, I'm not blaming the CSF packages and indeed it's an excellent product that I wouldn't live without, but my experience would suggest that it might be somehow somehow related. 0 -
Update on my situation: Thanks to Brian D. at cPanel support, I believe we have this sorted out. My solution was to remove /etc/logrotate.d/httpd, as we believe that all log files in /usr/local/apache/logs/ are already being rotated via the configuration in "WHM -> Apache Configuration -> Log Rotation", with the exception of modsec_audit.log, which is rotated via "/etc/logrotate.d/modsecurity_logs". I am not sure why cPanel doesn't just add a modsec_audit.log checkbox to "WHM -> Apache Configuration -> Log Rotation", but there you go! Problem solved. - Scott
What's interesting about this... I just went to look over my server, to compare it to your experience. When looking at "WHM -> Apache Configuration -> Log Rotation" there's a message that says in part... "The rotated files will be compressed and stored in /usr/local/apache/logs/archive/" although everything appears to be configured properly, there is in fact no directory /usr/local/apache/logs/archive/ on my server, and it seems to me that the only compressed and backed logs I have are the ones being created by the configuration in /etc/logrotate.d/httpd which are stored in /usr/local/apache/logs/. You should check yours to be sure you are actually getting rotation, now that you have removed /etc/logrotate.d/httpd. In my case, it seems I would not.0 -
"The rotated files will be compressed and stored in /usr/local/apache/logs/archive/" although everything appears to be configured properly, there is in fact no directory /usr/local/apache/logs/archive/
The logs won't rotate if they have not reached the configured threshold size, which is possible if they are manually configured to rotate through LogRotate itself. Thank you.0 -
I am getting following error daily: /etc/cron.daily/logrotate: error: mysqld:21 duplicate log entry for /var/lib/mysql/mysqld.log /etc/cron.daily/logrotate looks like below #!/bin/sh export TMPDIR=/var/spool/logrotate/tmp /usr/sbin/logrotate /etc/logrotate.conf EXITVALUE=$? if [ $EXITVALUE != 0 ]; then /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]" fi exit 0
0 -
error: mysqld:21 duplicate log entry for /var/lib/mysql/mysqld.log
The /etc/logrotate.d/mysql file should handle the MySQL log rotation configuration automatically. Are you rotating this log file with additional rules in the /etc/cron.daily/logrotate file, or in any other custom logrotate configuration file? Thank you.0
Please sign in to leave a comment.
Comments
24 comments