The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone ever seen this cron daily logrotate error?

Discussion in 'General Discussion' started by Metro2, Jul 27, 2015.

Tags:
  1. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Right around July 11th after a cPanel update I started to experience some unusual issues / notices from my servers, and this one still has me chasing my tail.

    I'm wondering if anyone else here has ever encountered this - each day I receive an email notice from Cron <root@hostname> run-parts /etc/cron.daily with the following error:

    /etc/cron.daily/logrotate:

    error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_audit.log
    error: found error in /usr/local/apache/logs/modsec_audit.log , skipping


    Trying to avoid submitting a ticket to cPanel support if I can so I'm checking here in hopes that someone recognizes this issue and knows the solution.

    I've checked a few things in /etc/logrotated.conf and /etc/logrotate.d/ and as far as I can tell, nothing unusual.

    The /etc/logrotate.conf looks like this:

    # see "man logrotate" for details
    # rotate log files weekly
    weekly

    # keep 4 weeks worth of backlogs
    rotate 4

    # create new (empty) log files after rotating old ones
    create

    # uncomment this if you want your log files compressed
    #compress

    # RPM packages drop log rotation information into this directory
    include /etc/logrotate.d

    # no packages own wtmp -- we'll rotate them here
    /var/log/wtmp {
    monthly
    minsize 1M
    create 0664 root utmp
    rotate 1
    }

    /var/log/btmp {
    missingok
    monthly
    minsize 1M
    create 0600 root utmp
    rotate 1
    }

    # system-specific logs may be also be configured here.

    /var/lib/mysql/metro9-slow.log {
    missingok
    weekly
    minsize 1M
    create 0660 mysql mysql
    rotate 4
    }


    And /etc/logrotate.d/modsecurity_log looks like this:

    /usr/local/apache/logs/modsec_audit.log {
    rotate 15
    size=300M
    missingok
    compress
    postrotate
    /usr/local/cpanel/scripts/restartsrv_httpd 2> /dev/null > /dev/null || true
    endscript
    }


    Anyone else ever run into this?
     
  2. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I'm seeing this too, and also don't see any cause at this time. I find the error message text a little misleading though. I'll let you know if I find anything.
     
  3. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thank you for replying, it really helps to know that I'm not alone in this.

    I'm still baffled by the error and have checked everything I can think of related to the text in the alerts.

    I look forward to your updates and I'll post here when I have anything new to add as well.
     
  4. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I haven't figured out what the error is really telling me yet, but it does look like the mod_sec_audit log is actually rotating.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can remove the custom entry at /etc/logrotate.d/modsecurity_log because it's already rotated as of cPanel version 11.50 with the addition of the /usr/local/cpanel/etc/logrotate.d/modsecurity_logs file.

    Thank you.
     
    sneader likes this.
  6. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Thanks for this, Michael. I was getting the same errors. One small difference for me... The entry I had to remove was:

    /etc/logrotate.d/modsecurity_logs

    Mine was plural in both locations (logs vs log)

    - Scott
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, it's possible the custom LogRotate entry will be under a different name, as it's created manually with no standard name. Thank you for the additional details.
     
  8. ramorse

    ramorse Well-Known Member

    Joined:
    Sep 6, 2003
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    So, I can just remove the file /etc/logrotate.d/modsecurity_logs or do I edit the file?
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can remove it, but you may simply want to remove the entry for "/usr/local/apache/logs/modsec_audit.log" within the file if you use it to rotate other mod_security logs.

    Thank you.
     
  10. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    In my case, it's duplicated by the /etc/logrotate.d/httpd file:

    /usr/local/apache/logs/*log {
    missingok
    notifempty
    sharedscripts
    compress
    lastaction
    /etc/init.d/httpd restart > /dev/null 2>&1
    endscript
    }
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to modify that file so that it rotates specific logs instead of all log files in that directory. Keep in mind you can also control rotation for some of the Apache logs via:

    "WHM Home » Service Configuration » Apache Configuration » Log Rotation"

    Thank you.
     
  12. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Michael, I think your solution of removing the file isn't working. cPanel keeps putting the
    /etc/logrotate.d/modsecurity_logs back into place.

    I think it is replacing it every time cPanel is updated via upcp. What is a more permanent solution?

    To summarize, cPanel is trying to rotate modsec_audit.log in TWO places:

    /usr/local/cpanel/etc/logrotate.d/modsecurity_logs
    /etc/logrotate.d/modsecurity_logs

    Attempts to remove the 2nd file results in a temporary solution, until cPanel puts it back again.

    - Scott
     
    Metro2 likes this.
  13. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Same here.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I've opened internal case number CPANEL-2114 to determine if there's any specific reason why this log file is configured for rotation in multiple locations. I will update this thread with more information as it becomes available. In the meantime, can you confirm that you still receive the email warning notification, even when it's just these two logrotate configurations in place?

    Thank you.
     
  15. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The duplicate log entry message is logrotate's way of informing you that two or more configuration files are trying to rotate the same log. Please check the other logrotate configuration files for another that manages files in /usr/local/apache/logs.

    Also, the files in /usr/local/cpanel/etc/logrotate.d/ are not used by logrotate. During upcp they get copied into /etc/logrotate.d.
     
  16. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Hi cPanelMichael,

    In case this information helps:

    Ever morning around 5am EDT I receive the following email notice from root Cron Daemon:

    Cron <root@xxxxxx> run-parts /etc/cron.daily

    /etc/cron.daily/logrotate:

    error: modsecurity_logs:1 duplicate log entry for /usr/local/apache/logs/modsec_
    audit.log
    error: found error in /usr/local/apache/logs/modsec_audit.log , skipping


    The contents of my /etc/logrotate.d/modsecurity_logs file is this:

    /usr/local/apache/logs/modsec_audit.log {
    rotate 15
    size=300M
    missingok
    compress
    postrotate
    /usr/local/cpanel/scripts/restartsrv_httpd 2> /dev/null > /dev/null || true
    endscript
    }
    /etc/logrotate.d/modsecurity_logs (END)

    My WHM > Service Configuration > Apache Configuration > Log Rotation looks like this:

    Apache Log Rotation Configuration

    Files from /usr/local/apache/logs selected below will be rotated based upon their size. The rotated files will be compressed and stored in /usr/local/apache/logs/archive/. The files are named to include the month in which they are rotated. Consequently, the file names do not relate in any way to the content of the file being rotated. Files are only rotated when they grow larger than the WHM >> Tweak Settings >> Log Rotation Size Threshold or the default of 300MB. The archived log files are left in place indefinitely. Files not chosen here will not ever be rotated by cPanel software.

    Checked - access_log (in rotation)
    Checked - error_log (in rotation)
    Not Checked - modsec_debug_log
    Checked - suexec_log (in rotation)
    Not Checked - suexec_log.offset
    Checked - suphp_log (in rotation)

    My WHM Server Configuration > Tweak Settings > Log Rotation Size Threshold set:

    Log rotation size threshold - 50MB

    So it seems a little strange that even though I've had "Log rotation size threshold" set to 50MB for over a year now, and even though I've removed the /etc/logrotate.d/modsecurity_logs file, it keeps coming back and it keeps populating with that /usr/local/apache/logs/modsec_audit.log along with size=300M parameter.


    I've checked the contents of every file in /etc/logrotate.d and the only one with anything appearing related to this is /etc/logrotate.d/modsecurity_logs

    Is there anything else I can check for you to provide you with more info that might help?

    Thank you guys for helping look into this!
     
    Infopro likes this.
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  18. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Ticket #7360209 opened.

    - Scott
     
  19. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Update on my situation: Thanks to Brian D. at cPanel support, I believe we have this sorted out.

    It is helpful to know that there are 3 different places/things to look at, for log rotation. One you look at all of these, you are bound to find the culprit, responsible for the duplicate attempts to rotate a certain log:

    WHM -> Apache Configuration -> Log Rotation:
    Uses cpanellogd to Rotate logs (if selected) in /usr/local/apache/logs/

    WHM -> cPanel Log rotation Configuration:
    Uses cpanellogd to Rotate logs (if selected) in /usr/local/cpanel/logs/

    Logrotate Utility:
    Queued up to run via cron in /etc/cron.daily/logrotate
    Initial configuration of Logrotate is done in /etc/logrotate.conf
    The Logrotate utility reads config files inside /etc/logrotate.d/ and rotates according to the data in those config files.

    In my case, Brian tracked my problem down to TWO entries in /etc/logrotate.d/ that were conflicting:
    1. I had a file called /etc/logrotate.d/httpd and inside that file, it was rotating "/usr/local/apache/logs/*log". Notice the asterisk! So, that one file was trying to rotate EVERY file in /usr/local/apache/logs/ that ended with log.
    2. cPanel added a new file in 11.50 called /etc/logrotate.d/modsecurity_logs, and inside that file it rotates "/usr/local/apache/logs/modsec_audit.log".
    As you can see, these are conflicting.... they both matched /usr/local/apache/logs/modsec_audit.log.

    My solution was to remove /etc/logrotate.d/httpd, as we believe that all log files in /usr/local/apache/logs/ are already being rotated via the configuration in "WHM -> Apache Configuration -> Log Rotation", with the exception of modsec_audit.log, which is rotated via "/etc/logrotate.d/modsecurity_logs". I am not sure why cPanel doesn't just add a modsec_audit.log checkbox to "WHM -> Apache Configuration -> Log Rotation", but there you go! Problem solved.

    - Scott
     
    kernow and Metro2 like this.
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I am happy to see the issue is now resolved. Thank you for updating us with the outcome.
     
Loading...

Share This Page