PHP not writing to error_log

verdon

Well-Known Member
Nov 1, 2003
911
10
168
59
Northern Ontario, Canada
cPanel Access Level
Root Administrator
I recently switched from Apache to LiteSpeed. Since (though I'm not 100% sure of the timing) I don't think php is able to write to users' error_log

I'm also seeing a lot of entries like this in my kernel log

[976574.594142] type=1400 audit(1562012939.794:1171779): avc: denied { append } for pid=11758 comm="lsphp" name="error_log" dev=sda5 in ...: 1 Time(s)


FYI... What started me down this rabbit hole is trying to figure out why the Wordpress plugin 'WP Fail2Ban' is no longer logging events to /var/log/messages. On one server the php handler is LiteSpeed and the other apache/php-fpm - In case anyone has any insight to that.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,815
541
263
Houston
cPanel Access Level
DataCenter Provider

verdon

Well-Known Member
Nov 1, 2003
911
10
168
59
Northern Ontario, Canada
cPanel Access Level
Root Administrator
I believe litespeed uses their own error log: litespeed doesn't use apache error log?
Thanks. That was an older article, but it did point me to places to look. The default LiteSpeed setup does use /var/log/apache2/error_log and it is a configurable value. There is activity on that file.

I'm still not sure what the entries in my kernel log mean, like this...
Code:
[976574.594142] type=1400 audit(1562012939.794:1171779): avc: denied { append } for pid=11758 comm="lsphp" name="error_log" dev=sda5 in ...: 1 Time(s)
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,815
541
263
Houston
cPanel Access Level
DataCenter Provider

verdon

Well-Known Member
Nov 1, 2003
911
10
168
59
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Thanks @cPanelLauren ,

I hadn't really considered that. This server was provisioned as a cPanel server by my data centre, and I know SELinuxe doesn't play nice with cPanel. It is there, but is set to permissive.

Code:
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted
FYI... I did a search in /home/*/public_html/* for files named error_log less than 2 days old, and there were a few, so at least some accounts are writing them. Still confused by all the entries in my nightly logwatch such as the one above though.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,815
541
263
Houston
cPanel Access Level
DataCenter Provider
If you disable selinux do you still get the error when lsphp is attempting to write to the apache log? Instructions on disabling it are located in the link I provided.
 

verdon

Well-Known Member
Nov 1, 2003
911
10
168
59
Northern Ontario, Canada
cPanel Access Level
Root Administrator
If you disable selinux do you still get the error when lsphp is attempting to write to the apache log? Instructions on disabling it are located in the link I provided.
I'll try a controlled test on it this afternoon. To my understanding though, SELinux set to permissive should be doing nothing anyways, but I'm not 100% sure on that.

Ps. Actually, I can't reboot until tonight... will test tomorrow.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,815
541
263
Houston
cPanel Access Level
DataCenter Provider
Technically it's not being enforced but those AVC messages are logged:

5.4. Permanent Changes in SELinux States and Modes - Red Hat Customer Portal
When SELinux is running in permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements.
So, in theory, you should have errors being written to the apache error logs and those AVC messages right now.
 
  • Like
Reactions: verdon