SOLVED anacron daily error logrotate

leonep

Well-Known Member
Nov 18, 2014
242
23
68
Pescara
cPanel Access Level
Root Administrator
hi ,
1 of my boxes sometime shows error on cron daily
i have no idea what is

/etc/cron.daily/logrotate:

error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_audit.log
error: found error in file modsecurity_logs, skipping

you think this need more investigation?
 
Last edited:

andrew.n

Well-Known Member
Jun 9, 2020
981
362
63
EU
cPanel Access Level
Root Administrator
What is the first line in the file of /usr/local/apache/logs/modsec_audit.log?
 

leonep

Well-Known Member
Nov 18, 2014
242
23
68
Pescara
cPanel Access Level
Root Administrator
here it is

--bc6b857b-A--
[22/Mar/2021:17:18:24 +0100] YFjDP5lc4aiiIO2SDMim@wAAAMw xxxxxxxxxx57974 51.255.136.87 80
--bc6b857b-B--
HEAD /wp-config.php~ HTTP/1.1
Host: xxxxxxxxxxxxx.it


thanks
 

andrew.n

Well-Known Member
Jun 9, 2020
981
362
63
EU
cPanel Access Level
Root Administrator
my bad sorry...what is the content of "modsecurity_logs" file?
 

leonep

Well-Known Member
Nov 18, 2014
242
23
68
Pescara
cPanel Access Level
Root Administrator
thanks for help . here is it

/usr/local/apache/logs/modsec_audit.log {
rotate 15
size=300M
missingok
compress
postrotate
/usr/local/cpanel/scripts/restartsrv_httpd &> /dev/null || true
/usr/local/cpanel/scripts/restartsrv_tailwatchd &> /dev/null || true
endscript
}
 

andrew.n

Well-Known Member
Jun 9, 2020
981
362
63
EU
cPanel Access Level
Root Administrator
Can you remove "/usr/local/apache/logs/modsec_audit.log" from that file and leave only this?

{
rotate 15
size=300M
missingok
compress
postrotate
/usr/local/cpanel/scripts/restartsrv_httpd &> /dev/null || true
/usr/local/cpanel/scripts/restartsrv_tailwatchd &> /dev/null || true
endscript
}
 

leonep

Well-Known Member
Nov 18, 2014
242
23
68
Pescara
cPanel Access Level
Root Administrator
the solution is very simple (thanks to cpanel support :) )
i append here , i hope it help someone:

The error is reporting that two different configurations are trying to rotate the same file:
[12:58:20 gemini root@94359182 /etc/logrotate.d]cPs# grep '/usr/local/apache/logs/modsec_audit.log' *
httpd:/usr/local/apache/logs/modsec_audit.log
modsecurity_logs:/usr/local/apache/logs/modsec_audit.log {
Shown above, both the httpd and modsecurity_logs configurations are attempting to rotate this log, however, the second attempt is being skipped.

If you'd like to remove this warning, you can remove the second check:
mv /etc/logrotate.d/modsecurity_logs /root/modsecurity_logs.logrotate.bak

thanks
 

bloatedstoat

Well-Known Member
Jun 14, 2012
216
33
78
Victoria, Australia
cPanel Access Level
Root Administrator
Actually, no it didn't fix it permanently.

I've executed mv /etc/logrotate.d/modsecurity_logs /root/modsecurity_logs.logrotate.bak twice now and then it happens again.

Is there a script that would replace the /etc/logrotate.d/modsecurity_logs file if it is missing? That's what's happening here.

The notification is only an inconvenience though as I can see the log file itself is being rotated.

Thanks.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,474
2,604
363
cPanel Access Level
Root Administrator
Hey there! Yes, the nightly update would replace that file if it is missing.

Can you run the following command so we can see where the duplicate entry is?

Code:
grep '/usr/local/apache/logs/modsec_audit.log' /etc/logrotate.d/*
 

bloatedstoat

Well-Known Member
Jun 14, 2012
216
33
78
Victoria, Australia
cPanel Access Level
Root Administrator
Thanks @cPRex

Here's the output:


grep '/usr/local/apache/logs/modsec_audit.log' /etc/logrotate.d/*
/etc/logrotate.d/httpd:/usr/local/apache/logs/modsec_audit.log
/etc/logrotate.d/modsecurity_logs:/usr/local/apache/logs/modsec_audit.log {


Cheers.