Logrotate Service Failure

My logrotate service failes. It complains about a duplicate entry for modsecurity.

 ● logrotate.service - Rotate log files
       Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled)
       Active: failed (Result: exit-code) since Tue 2021-06-08 14:22:07 CST; 2h 54min ago
         Docs: man:logrotate(8)
               man:logrotate.conf(5)
     Main PID: 15370 (code=exited, status=1/FAILURE)
    
    Jun 08 14:22:07 server1.example.com systemd[1]: Starting Rotate log files...
    Jun 08 14:22:07 server1.example.com logrotate[15370]: error: modsecurity:1 duplicate log entry for /var/log/apache2/modsec_audit.log
    Jun 08 14:22:07 server1.example.com logrotate[15370]: error: found error in file modsecurity, skipping
    Jun 08 14:22:07 server1.example.com systemd[1]: logrotate.service: Main process exited, code=exited, status=1/FAILURE
    Jun 08 14:22:07 server1.example.com systemd[1]: logrotate.service: Failed with result 'exit-code'.
    Jun 08 14:22:07 server1.example.com systemd[1]: Failed to start Rotate log files.

However, /etc/logrotate.d/modsecurity doesn't contain any duplicates:

/var/log/apache2/modsec_audit.log
{
        rotate 14
        daily
        missingok
        compress
        delaycompress
        notifempty
}

Any thought?

UPDATE:

#grep -r 'modsec_audit.log' /etc/

/etc/logrotate.d/modsecurity:/var/log/apache2/modsec_audit.log
/etc/modsecurity/modsecurity.conf:SecAuditLog /var/log/apache2/modsec_audit.log
/etc/modsecurity/modsecurity.conf-recommended:SecAuditLog /var/log/apache2/modsec_audit.log

So I went through:

 /etc/modsecurity/modsecurity.conf:SecAuditLog /var/log/apache2/modsec_audit.log
 /etc/modsecurity/modsecurity.conf-recommended:SecAuditLog /var/log/apache2/modsec_audit.log

and hashed out the modsec_audit.log values, as below

#SecAuditLogType Serial
#SecAuditLog /var/log/apache2/modsec_audit.log

then ran:
systemctl restart logrotate

Same error

UPDATE 2:

Following @Nikita Kipriyanov advice, I went through and completely hashed out /etc/logrotate.d/modsecurity and now logrotate executes successfully (all mdosec logs hashed out):

#systemctl status logrotate ● logrotate.service - Rotate log files Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled) Active: inactive (dead) since Thu 2021-06-10 09:36:53 CST; 52s ago Docs: man:logrotate(8) man:logrotate.conf(5) Process: 20308 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=0/SUCCESS) Main PID: 20308 (code=exited, status=0/SUCCESS)

Jun 10 09:36:52 tester1.example.com systemd[1]: Starting Rotate log files...
Jun 10 09:36:53 tester1.example.com systemd[1]: logrotate.service: Succeeded.
Jun 10 09:36:53 tester1.example.com systemd[1]: Started Rotate log files.

So I enabled the original modsec_audit.log located at /etc/modsecurity/modsecuirty.confto see what would happen. Again, things seem to work correctly

systemctl status logrotate

● logrotate.service - Rotate log files Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled) Active: inactive (dead) since Thu 2021-06-10 09:54:05 CST; 4s ago Docs: man:logrotate(8) man:logrotate.conf(5) Process: 21452 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=0/SUCCESS) Main PID: 21452 (code=exited, status=0/SUCCESS)

Jun 10 09:54:05 tester1.example.com systemd[1]: Starting Rotate log files... Jun 10 09:54:05 tester1.example.com systemd[1]: logrotate.service: Succeeded. Jun 10 09:54:05 tester1.example.com systemd[1]: Started Rotate log files.

Same story for /etc/modsecurity/modsecurity-recommended, meaning that the logrotate service only fails when I use
/etc/logrotate.d/modsecuirty and the collision has to be a wildcard as suggested by @Nikita Kipriyanov


So, the file /var/log/apache2/modsec_audit.log is set up to be rotated by the /etc/logrotate.d/modsecurity and some other file, which covers it with a wildcard. For example, that might be defined as /var/log/apache2/*log, which of course includes this file. I don't know which other logrotate configuration files you have, but chances are high that it is /etc/logrotate.d/apache2 or something like that has a wildcard.

Therefore, the /var/log/apache2/modsec_audit.log will be rotated even if you remove /etc/logrotate.d/modsecurity. Or better, replace it with an empty file (or a file with just a comment containing a link to this SF question and answer to easy remember what's happened). This is simplest near-time solution for a problem. Other way, you might want to remove /var/log/apache2/modsec_audit.log from being catched with the wildcard; there is no way to set excludes to wildcards in logrotate, so you'd end up with rewriting the wildcard(s) so it'll include all files except this one. I consider this cumbersome.

Also remember, /etc/logrotate.d/modsecurity and the other logrotate configurations likely were installed by some OS packages. Those files will be reinstalled when you update those packages. While removed file will be just put again into place, the the edited file won't. The configuration file protection will kick in and at least you'll have a notice about updated configuration and the prompt to resolve by hand. So "create an empty file" is counted as an edit and will save you some hair.

And, to resolve this completely and forever, you should discover which packages these clashing files belong to, and file a bug into your distribution's bug tracker. You may convince them to fix packages so updates wouldn't contain these files or these files wouldn't clash, so nothing breaks after update.


Most probably you have duplicate entry defined in another file.
Check /etc/logrotate.conf file for duplicates, if there are none in this file issue

grep -rnw '/etc/logrotate.d/' -e 'modsec_audit.log'

to find duplicates in other files.


You can also try looking in /etc/logrotate.d/rsyslog file:

grep 'modsec_audit.log' /etc/logrotate.d/rsyslog

You may find duplicates there.