Linux – Logrotate Service Failure

linuxlogrotate

My logrotate service failes. It complains about a duplicate entry for modsecurity.

 ● logrotate.service - Rotate log files
       Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled)
       Active: failed (Result: exit-code) since Tue 2021-06-08 14:22:07 CST; 2h 54min ago
         Docs: man:logrotate(8)
               man:logrotate.conf(5)
     Main PID: 15370 (code=exited, status=1/FAILURE)
    
    Jun 08 14:22:07 server1.example.com systemd[1]: Starting Rotate log files...
    Jun 08 14:22:07 server1.example.com logrotate[15370]: error: modsecurity:1 duplicate log entry for /var/log/apache2/modsec_audit.log
    Jun 08 14:22:07 server1.example.com logrotate[15370]: error: found error in file modsecurity, skipping
    Jun 08 14:22:07 server1.example.com systemd[1]: logrotate.service: Main process exited, code=exited, status=1/FAILURE
    Jun 08 14:22:07 server1.example.com systemd[1]: logrotate.service: Failed with result 'exit-code'.
    Jun 08 14:22:07 server1.example.com systemd[1]: Failed to start Rotate log files.

However, /etc/logrotate.d/modsecurity doesn't contain any duplicates:

/var/log/apache2/modsec_audit.log
{
        rotate 14
        daily
        missingok
        compress
        delaycompress
        notifempty
}

Any thought?

UPDATE:

#grep -r 'modsec_audit.log' /etc/

/etc/logrotate.d/modsecurity:/var/log/apache2/modsec_audit.log
/etc/modsecurity/modsecurity.conf:SecAuditLog /var/log/apache2/modsec_audit.log
/etc/modsecurity/modsecurity.conf-recommended:SecAuditLog /var/log/apache2/modsec_audit.log

So I went through:

 /etc/modsecurity/modsecurity.conf:SecAuditLog /var/log/apache2/modsec_audit.log
 /etc/modsecurity/modsecurity.conf-recommended:SecAuditLog /var/log/apache2/modsec_audit.log

and hashed out the modsec_audit.log values, as below

#SecAuditLogType Serial
#SecAuditLog /var/log/apache2/modsec_audit.log

then ran:
systemctl restart logrotate

Same error

UPDATE 2:

Following @Nikita Kipriyanov advice, I went through and completely hashed out /etc/logrotate.d/modsecurity and now logrotate executes successfully (all mdosec logs hashed out):

#systemctl status logrotate
● logrotate.service – Rotate log files
Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled)
Active: inactive (dead) since Thu 2021-06-10 09:36:53 CST; 52s ago
Docs: man:logrotate(8)
man:logrotate.conf(5)
Process: 20308 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=0/SUCCESS)
Main PID: 20308 (code=exited, status=0/SUCCESS)

Jun 10 09:36:52 tester1.example.com systemd[1]: Starting Rotate log files...
Jun 10 09:36:53 tester1.example.com systemd[1]: logrotate.service: Succeeded.
Jun 10 09:36:53 tester1.example.com systemd[1]: Started Rotate log files.

So I enabled the original modsec_audit.log located at /etc/modsecurity/modsecuirty.confto see what would happen. Again, things seem to work correctly

systemctl status logrotate

● logrotate.service – Rotate log files
Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled)
Active: inactive (dead) since Thu 2021-06-10 09:54:05 CST; 4s ago
Docs: man:logrotate(8)
man:logrotate.conf(5)
Process: 21452 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=0/SUCCESS)
Main PID: 21452 (code=exited, status=0/SUCCESS)

Jun 10 09:54:05 tester1.example.com systemd[1]: Starting Rotate log files…
Jun 10 09:54:05 tester1.example.com systemd[1]: logrotate.service: Succeeded.
Jun 10 09:54:05 tester1.example.com systemd[1]: Started Rotate log files.

Same story for /etc/modsecurity/modsecurity-recommended, meaning that the logrotate service only fails when I use
/etc/logrotate.d/modsecuirty and the collision has to be a wildcard as suggested by @Nikita Kipriyanov

Best Answer

So, the file /var/log/apache2/modsec_audit.log is set up to be rotated by the /etc/logrotate.d/modsecurity and some other file, which covers it with a wildcard. For example, that might be defined as /var/log/apache2/*log, which of course includes this file. I don't know which other logrotate configuration files you have, but chances are high that it is /etc/logrotate.d/apache2 or something like that has a wildcard.

Therefore, the /var/log/apache2/modsec_audit.log will be rotated even if you remove /etc/logrotate.d/modsecurity. Or better, replace it with an empty file (or a file with just a comment containing a link to this SF question and answer to easy remember what's happened). This is simplest near-time solution for a problem. Other way, you might want to remove /var/log/apache2/modsec_audit.log from being catched with the wildcard; there is no way to set excludes to wildcards in logrotate, so you'd end up with rewriting the wildcard(s) so it'll include all files except this one. I consider this cumbersome.

Also remember, /etc/logrotate.d/modsecurity and the other logrotate configurations likely were installed by some OS packages. Those files will be reinstalled when you update those packages. While removed file will be just put again into place, the the edited file won't. The configuration file protection will kick in and at least you'll have a notice about updated configuration and the prompt to resolve by hand. So "create an empty file" is counted as an edit and will save you some hair.

And, to resolve this completely and forever, you should discover which packages these clashing files belong to, and file a bug into your distribution's bug tracker. You may convince them to fix packages so updates wouldn't contain these files or these files wouldn't clash, so nothing breaks after update.

Related Solutions

Centos – Logrotate Mysql – No rotate happens

Threre is no rotation, because you are using -d option. From manual:

-d Turns on debug mode and implies -v. In debug mode, no changes will be made to the logs or to the logrotate state file.

I have two suggestions:

Upgrade OS to x86_64 if possible, because you have 2,5GB memory limit per process
Don't use -pPassword parameter with mysql for security reasons, it's better to use --defaults-extra-file=path_to_extra, which is readable only by root. When somebody, who has access to server execute ps -ef | grep mysql, it will see root password for database.

Here is my logrotate /etc/logrotate.d/mysql script for mysql on CentOS 5 (mysql Ver 14.12 Distrib 5.0.77, for redhat-linux-gnu (x86_64) using readline 5.1):

# If the root user has a password you have to create a
# /.my.cnf configuration file with the following
# content:
#
# [mysqladmin]
# password = <secret>
# user = <username>
#
# where "<secret>" is the password and <username> is user.
#
# ATTENTION: This /.my.cnf should be readable ONLY
# for root !
/var/log/mysqld.log {
        create 640 mysql mysql
        notifempty
        missingok
        postrotate
                # just if mysqld is really running
                if test -x /usr/bin/mysqladmin && \
                   /usr/bin/mysqladmin --defaults-extra-file=/root/mysql/logrotate.cnf ping &>/dev/null
                then
                   /usr/bin/mysqladmin --defaults-extra-file=/root/mysql/logrotate.cnf flush-logs
                fi
                /usr/bin/chcon -u system_u -r object_r -t mysqld_log_t /var/log/mysqld.log
        endscript
}

Linux – Best Practices for rotating syslog logs on RHEL with different schedules

Set up a separate block for the messages log in /etc/logrotate.d/rsyslog (or whatever it's called on your install). It should use the setting for the specific log file match preferentially to a general one.

No, as Zoredache mentioned, multiple HUPs shouldn't break anything unless you're really hammering rsyslog anyway.

systemctl status logrotate

Best Answer

Related Solutions

Centos – Logrotate Mysql – No rotate happens

Linux – Best Practices for rotating syslog logs on RHEL with different schedules

Related Topic