SOLVED anacron daily error logrotate

[leonep]

hi ,
1 of my boxes sometime shows error on cron daily
i have no idea what is

/etc/cron.daily/logrotate:

error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_audit.log
error: found error in file modsecurity_logs, skipping

you think this need more investigation?

 

[andrew.n]

What is the first line in the file of /usr/local/apache/logs/modsec_audit.log?

 

[leonep]

here it is

--bc6b857b-A--
[22/Mar/2021:17:18:24 +0100] YFjDP5lc4aiiIO2SDMim@wAAAMw xxxxxxxxxx57974 51.255.136.87 80
--bc6b857b-B--
HEAD /wp-config.php~ HTTP/1.1
Host: xxxxxxxxxxxxx.it


thanks

 

[andrew.n]

my bad sorry...what is the content of "modsecurity_logs" file?

 

[cPRex]

Our configuration file should be at /usr/local/cpanel/etc/logrotate.d/modsecurity_logs. Can you post the contents of that?

 

[leonep]

thanks for help . here is it

/usr/local/apache/logs/modsec_audit.log {
rotate 15
size=300M
missingok
compress
postrotate
/usr/local/cpanel/scripts/restartsrv_httpd &> /dev/null || true
/usr/local/cpanel/scripts/restartsrv_tailwatchd &> /dev/null || true
endscript
}

 

[andrew.n]

Can you remove "/usr/local/apache/logs/modsec_audit.log" from that file and leave only this?

{
rotate 15
size=300M
missingok
compress
postrotate
/usr/local/cpanel/scripts/restartsrv_httpd &> /dev/null || true
/usr/local/cpanel/scripts/restartsrv_tailwatchd &> /dev/null || true
endscript
}

 

[cPRex]

@andrew.n - that actually looks like the default file, so it's likely something else happening. @leonep - it might be a good idea to open a ticket for this one to have us check.

 

[leonep]

the solution is very simple (thanks to cpanel support )
i append here , i hope it help someone:

The error is reporting that two different configurations are trying to rotate the same file:
[12:58:20 gemini root@94359182 /etc/logrotate.d]cPs# grep '/usr/local/apache/logs/modsec_audit.log' *
httpd:/usr/local/apache/logs/modsec_audit.log
modsecurity_logs:/usr/local/apache/logs/modsec_audit.log {
Shown above, both the httpd and modsecurity_logs configurations are attempting to rotate this log, however, the second attempt is being skipped.

If you'd like to remove this warning, you can remove the second check:
mv /etc/logrotate.d/modsecurity_logs /root/modsecurity_logs.logrotate.bak

thanks

 

[cPRex]

Thanks for posting that!

 

[bloatedstoat]

Thanks for posting this solution, it helped me solve the very same issue today.

 

[bloatedstoat]

Actually, no it didn't fix it permanently.

I've executed mv /etc/logrotate.d/modsecurity_logs /root/modsecurity_logs.logrotate.bak twice now and then it happens again.

Is there a script that would replace the /etc/logrotate.d/modsecurity_logs file if it is missing? That's what's happening here.

The notification is only an inconvenience though as I can see the log file itself is being rotated.

Thanks.

 

[cPRex]

Hey there! Yes, the nightly update would replace that file if it is missing.

Can you run the following command so we can see where the duplicate entry is?

grep '/usr/local/apache/logs/modsec_audit.log' /etc/logrotate.d/*

 

[bloatedstoat]

Thanks @cPRex

Here's the output:


grep '/usr/local/apache/logs/modsec_audit.log' /etc/logrotate.d/*
/etc/logrotate.d/httpd:/usr/local/apache/logs/modsec_audit.log
/etc/logrotate.d/modsecurity_logs:/usr/local/apache/logs/modsec_audit.log {


Cheers.

 

[cPRex]

By default, it seems we actually don't include the httpd section in logrotate. Can you try removing that modsec audit line from the httpd file instead, and then running "/scripts/upcp --force" to ensure that doesn't get recreated?

 

[bloatedstoat]

@cPRex that did the trick, thank you.

 

[cPRex]

Glad to hear it!