My logrotate service failes. It complains about a duplicate entry for modsecurity.
â logrotate.service - Rotate log files
Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2021-06-08 14:22:07 CST; 2h 54min ago
Docs: man:logrotate(8)
man:logrotate.conf(5)
Main PID: 15370 (code=exited, status=1/FAILURE)
Jun 08 14:22:07 server1.example.com systemd[1]: Starting Rotate log files...
Jun 08 14:22:07 server1.example.com logrotate[15370]: error: modsecurity:1 duplicate log entry for /var/log/apache2/modsec_audit.log
Jun 08 14:22:07 server1.example.com logrotate[15370]: error: found error in file modsecurity, skipping
Jun 08 14:22:07 server1.example.com systemd[1]: logrotate.service: Main process exited, code=exited, status=1/FAILURE
Jun 08 14:22:07 server1.example.com systemd[1]: logrotate.service: Failed with result 'exit-code'.
Jun 08 14:22:07 server1.example.com systemd[1]: Failed to start Rotate log files.
However, /etc/logrotate.d/modsecurity
doesn't contain any duplicates:
/var/log/apache2/modsec_audit.log
{
rotate 14
daily
missingok
compress
delaycompress
notifempty
}
Any thought?
UPDATE:
#grep -r 'modsec_audit.log' /etc/
/etc/logrotate.d/modsecurity:/var/log/apache2/modsec_audit.log
/etc/modsecurity/modsecurity.conf:SecAuditLog /var/log/apache2/modsec_audit.log
/etc/modsecurity/modsecurity.conf-recommended:SecAuditLog /var/log/apache2/modsec_audit.log
So I went through:
/etc/modsecurity/modsecurity.conf:SecAuditLog /var/log/apache2/modsec_audit.log
/etc/modsecurity/modsecurity.conf-recommended:SecAuditLog /var/log/apache2/modsec_audit.log
and hashed out the modsec_audit.log values, as below
#SecAuditLogType Serial
#SecAuditLog /var/log/apache2/modsec_audit.log
then ran:
systemctl restart logrotate
Same error
UPDATE 2:
Following @Nikita Kipriyanov advice, I went through and completely hashed out /etc/logrotate.d/modsecurity and now logrotate executes successfully (all mdosec logs hashed out):
#systemctl status logrotate
â logrotate.service - Rotate log files
Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled)
Active: inactive (dead) since Thu 2021-06-10 09:36:53 CST; 52s ago
Docs: man:logrotate(8)
man:logrotate.conf(5)
Process: 20308 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=0/SUCCESS)
Main PID: 20308 (code=exited, status=0/SUCCESS)
Jun 10 09:36:52 tester1.example.com systemd[1]: Starting Rotate log files...
Jun 10 09:36:53 tester1.example.com systemd[1]: logrotate.service: Succeeded.
Jun 10 09:36:53 tester1.example.com systemd[1]: Started Rotate log files.
So I enabled the original modsec_audit.log located at /etc/modsecurity/modsecuirty.conf
to see what would happen. Again, things seem to work correctly
systemctl status logrotate
â logrotate.service - Rotate log files
Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled)
Active: inactive (dead) since Thu 2021-06-10 09:54:05 CST; 4s ago
Docs: man:logrotate(8)
man:logrotate.conf(5)
Process: 21452 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=0/SUCCESS)
Main PID: 21452 (code=exited, status=0/SUCCESS)
Jun 10 09:54:05 tester1.example.com systemd[1]: Starting Rotate log files...
Jun 10 09:54:05 tester1.example.com systemd[1]: logrotate.service: Succeeded.
Jun 10 09:54:05 tester1.example.com systemd[1]: Started Rotate log files.
Same story for /etc/modsecurity/modsecurity-recommended
, meaning that the logrotate service only fails when I use
/etc/logrotate.d/modsecuirty
and the collision has to be a wildcard as suggested by @Nikita Kipriyanov