Anyone ever seen this cron daily logrotate error?

[Metro2]

Right around July 11th after a cPanel update I started to experience some unusual issues / notices from my servers, and this one still has me chasing my tail.

I'm wondering if anyone else here has ever encountered this - each day I receive an email notice from Cron <[email protected]> run-parts /etc/cron.daily with the following error:

/etc/cron.daily/logrotate:

error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_audit.log
error: found error in /usr/local/apache/logs/modsec_audit.log , skipping

Trying to avoid submitting a ticket to cPanel support if I can so I'm checking here in hopes that someone recognizes this issue and knows the solution.

I've checked a few things in /etc/logrotated.conf and /etc/logrotate.d/ and as far as I can tell, nothing unusual.

The /etc/logrotate.conf looks like this:

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}

/var/log/btmp {
missingok
monthly
minsize 1M
create 0600 root utmp
rotate 1
}

# system-specific logs may be also be configured here.

/var/lib/mysql/metro9-slow.log {
missingok
weekly
minsize 1M
create 0660 mysql mysql
rotate 4
}


And /etc/logrotate.d/modsecurity_log looks like this:

/usr/local/apache/logs/modsec_audit.log {
rotate 15
size=300M
missingok
compress
postrotate
/usr/local/cpanel/scripts/restartsrv_httpd 2> /dev/null > /dev/null || true
endscript
}


Anyone else ever run into this?

 

[verdon]

I'm seeing this too, and also don't see any cause at this time. I find the error message text a little misleading though. I'll let you know if I find anything.

 

[Metro2]

Thank you for replying, it really helps to know that I'm not alone in this.

I'm still baffled by the error and have checked everything I can think of related to the text in the alerts.

I look forward to your updates and I'll post here when I have anything new to add as well.

 

[verdon]

I haven't figured out what the error is really telling me yet, but it does look like the mod_sec_audit log is actually rotating.

 

[cPanelMichael]

Hello

You can remove the custom entry at /etc/logrotate.d/modsecurity_log because it's already rotated as of cPanel version 11.50 with the addition of the /usr/local/cpanel/etc/logrotate.d/modsecurity_logs file.

Thank you.

 

[sneader]

Thanks for this, Michael. I was getting the same errors. One small difference for me... The entry I had to remove was:

/etc/logrotate.d/modsecurity_logs

Mine was plural in both locations (logs vs log)

- Scott

 

[cPanelMichael]

Yes, it's possible the custom LogRotate entry will be under a different name, as it's created manually with no standard name. Thank you for the additional details.

 

[ramorse]

So, I can just remove the file /etc/logrotate.d/modsecurity_logs or do I edit the file?

 

[cPanelMichael]

You can remove it, but you may simply want to remove the entry for "/usr/local/apache/logs/modsec_audit.log" within the file if you use it to rotate other mod_security logs.

Thank you.

 

[ttremain]

In my case, it's duplicated by the /etc/logrotate.d/httpd file:

/usr/local/apache/logs/*log {
missingok
notifempty
sharedscripts
compress
lastaction
/etc/init.d/httpd restart > /dev/null 2>&1
endscript
}

 

[cPanelMichael]

New In my case, it's duplicated by the /etc/logrotate.d/httpd file:

You may want to modify that file so that it rotates specific logs instead of all log files in that directory. Keep in mind you can also control rotation for some of the Apache logs via:

"WHM Home » Service Configuration » Apache Configuration » Log Rotation"

Thank you.

 

[sneader]

Michael, I think your solution of removing the file isn't working. cPanel keeps putting the
/etc/logrotate.d/modsecurity_logs back into place.

I think it is replacing it every time cPanel is updated via upcp. What is a more permanent solution?

To summarize, cPanel is trying to rotate modsec_audit.log in TWO places:

/usr/local/cpanel/etc/logrotate.d/modsecurity_logs
/etc/logrotate.d/modsecurity_logs

Attempts to remove the 2nd file results in a temporary solution, until cPanel puts it back again.

- Scott

 

[Metro2]

Michael, I think your solution of removing the file isn't working. cPanel keeps putting the
/etc/logrotate.d/modsecurity_logs back into place.

I think it is replacing it every time cPanel is updated via upcp. What is a more permanent solution?

To summarize, cPanel is trying to rotate modsec_audit.log in TWO places:

/usr/local/cpanel/etc/logrotate.d/modsecurity_logs
/etc/logrotate.d/modsecurity_logs

Attempts to remove the 2nd file results in a temporary solution, until cPanel puts it back again.

- Scott

Same here.

 

[cPanelMichael]

I've opened internal case number CPANEL-2114 to determine if there's any specific reason why this log file is configured for rotation in multiple locations. I will update this thread with more information as it becomes available. In the meantime, can you confirm that you still receive the email warning notification, even when it's just these two logrotate configurations in place?

Thank you.

 

[cPanelKenneth]

The duplicate log entry message is logrotate's way of informing you that two or more configuration files are trying to rotate the same log. Please check the other logrotate configuration files for another that manages files in /usr/local/apache/logs.

Also, the files in /usr/local/cpanel/etc/logrotate.d/ are not used by logrotate. During upcp they get copied into /etc/logrotate.d.

 

[Metro2]

In the meantime, can you confirm that you still receive the email warning notification, even when it's just these two logrotate configurations in place?

Hi cPanelMichael,

In case this information helps:

Ever morning around 5am EDT I receive the following email notice from root Cron Daemon:

Cron <[email protected]> run-parts /etc/cron.daily

/etc/cron.daily/logrotate:

error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_
audit.log
error: found error in /usr/local/apache/logs/modsec_audit.log , skipping


The contents of my /etc/logrotate.d/modsecurity_logs file is this:

/usr/local/apache/logs/modsec_audit.log {
rotate 15
size=300M
missingok
compress
postrotate
/usr/local/cpanel/scripts/restartsrv_httpd 2> /dev/null > /dev/null || true
endscript
}
/etc/logrotate.d/modsecurity_logs (END)

My WHM > Service Configuration > Apache Configuration > Log Rotation looks like this:

Apache Log Rotation Configuration

Files from /usr/local/apache/logs selected below will be rotated based upon their size. The rotated files will be compressed and stored in /usr/local/apache/logs/archive/. The files are named to include the month in which they are rotated. Consequently, the file names do not relate in any way to the content of the file being rotated. Files are only rotated when they grow larger than the WHM >> Tweak Settings >> Log Rotation Size Threshold or the default of 300MB. The archived log files are left in place indefinitely. Files not chosen here will not ever be rotated by cPanel software.

Checked - access_log (in rotation)
Checked - error_log (in rotation)
Not Checked - modsec_debug_log
Checked - suexec_log (in rotation)
Not Checked - suexec_log.offset
Checked - suphp_log (in rotation)

My WHM Server Configuration > Tweak Settings > Log Rotation Size Threshold set:

Log rotation size threshold - 50MB

So it seems a little strange that even though I've had "Log rotation size threshold" set to 50MB for over a year now, and even though I've removed the /etc/logrotate.d/modsecurity_logs file, it keeps coming back and it keeps populating with that /usr/local/apache/logs/modsec_audit.log along with size=300M parameter.


I've checked the contents of every file in /etc/logrotate.d and the only one with anything appearing related to this is /etc/logrotate.d/modsecurity_logs

Is there anything else I can check for you to provide you with more info that might help?

Thank you guys for helping look into this!

 

[cPanelMichael]

Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[sneader]

Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Ticket #7360209 opened.

- Scott

 

[sneader]

Update on my situation: Thanks to Brian D. at cPanel support, I believe we have this sorted out.

It is helpful to know that there are 3 different places/things to look at, for log rotation. One you look at all of these, you are bound to find the culprit, responsible for the duplicate attempts to rotate a certain log:

WHM -> Apache Configuration -> Log Rotation:
Uses cpanellogd to Rotate logs (if selected) in /usr/local/apache/logs/

WHM -> cPanel Log rotation Configuration:
Uses cpanellogd to Rotate logs (if selected) in /usr/local/cpanel/logs/

Logrotate Utility:
Queued up to run via cron in /etc/cron.daily/logrotate
Initial configuration of Logrotate is done in /etc/logrotate.conf
The Logrotate utility reads config files inside /etc/logrotate.d/ and rotates according to the data in those config files.

In my case, Brian tracked my problem down to TWO entries in /etc/logrotate.d/ that were conflicting:

1. I had a file called /etc/logrotate.d/httpd and inside that file, it was rotating "/usr/local/apache/logs/*log". Notice the asterisk! So, that one file was trying to rotate EVERY file in /usr/local/apache/logs/ that ended with log.
2. cPanel added a new file in 11.50 called /etc/logrotate.d/modsecurity_logs, and inside that file it rotates "/usr/local/apache/logs/modsec_audit.log".

As you can see, these are conflicting.... they both matched /usr/local/apache/logs/modsec_audit.log.

My solution was to remove /etc/logrotate.d/httpd, as we believe that all log files in /usr/local/apache/logs/ are already being rotated via the configuration in "WHM -> Apache Configuration -> Log Rotation", with the exception of modsec_audit.log, which is rotated via "/etc/logrotate.d/modsecurity_logs". I am not sure why cPanel doesn't just add a modsec_audit.log checkbox to "WHM -> Apache Configuration -> Log Rotation", but there you go! Problem solved.

- Scott

 

[cPanelMichael]

I had a file called /etc/logrotate.d/httpd and inside that file, it was rotating "/usr/local/apache/logs/*log". Notice the asterisk! So, that one file was trying to rotate EVERY file in /usr/local/apache/logs/ that ended with log.

I am happy to see the issue is now resolved. Thank you for updating us with the outcome.