search

owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector
Apache License 2.0
1.48k stars 274 forks source link

Problem with Nginx/ModSecurity Log Rotation and Size #290

Closed peppies closed 1 year ago

peppies commented 1 year ago

Ubuntu 22.04 Nginx/1.23.2 ModSecurity-nginx v1.0.3 logrotate 3.19.0

Fairly new to Nginx/ModSecurity, but I've been following a tutorial here and got everything set up, except the log rotation: https://www.linuxcapable.com/how-to-install-nginx-with-modsecurity-3-on-ubuntu-22-04-lts/?mtm_campaign=reddit#Create_ModSecurity_LogRotate_file

Basically what I would like to do is limit the size of the ModSecurity audit logs to 1GB, and then rotate the log if it grows larger than that, keeping a maximum of 7 log files. (My server ran out of disk space the other day with 20GB log files). The logs don't seem to be rotating properly either. This is what I have in /etc/logrotate.d/modsec:

/var/log/modsec/modsec_audit.log
{
        size 1M
        rotate 7
        missingok
        compress
        delaycompress
        notifempty
}

Here is the user that is actually running nginx (I'm assuing root?):

ubuntu@home-nginx:/var/log/nginx$ ps -eo "%U %G %a" | grep nginx
root     root     nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data www-data nginx: worker process
www-data www-data nginx: worker process
ubuntu   ubuntu   grep --color=auto nginx

Although my Nginx error.log and access.log is showing www-data:adm as the owner of those files.

Regardless, I tried adding combinations of "su www-data adm" and/or/both "create 640 www-data adm" in the logrotate config file without success.

When I manually run "sudo logrotate -v /etc/logrotate.d/modsec", it rotates, but nginx continues writing to the old log:

ubuntu@home-nginx:/var/log/modsec$ ls -al
total 132488
drwxr-xr-x  2 root     root        4096 Nov  3 00:32 .
drwxrwxr-x 13 root     syslog      4096 Nov  2 23:31 ..
-rw-r-----  1 www-data adm            0 Nov  3 00:32 modsec_audit.log
-rw-r-----  1 www-data adm    135656428 Nov  3 00:49 modsec_audit.log.1

Again, even if root:root is the owner of the log files, it's the same problem. Is this a bug, or am I doing something wrong?

peppies commented 1 year ago

This is now solved, I stumbled upon the "copytruncate" solution by chance. My full solution and details are found here: https://stackoverflow.com/questions/74296752/logrotate-ignores-size-parameter-with-modsecurity-log/