Problem with logrotate: Log rotation writes to incorrect file

[gabinheylen]

Problem Description:

After configuring logrotate to handle ModSecurity log rotation, I encountered an unexpected issue. After the first rotation, logs are being written to the file modsec_audit.log.1 instead of modsec_audit.log. Additionally, all subsequent logs are appended to the modsec_audit.log.1 file, leading to potentially large log files.

Logrotate Configuration:

/var/log/modsec_audit.log {
  daily
  rotate 14
  compress
  delaycompress
  missingok
  notifempty
  create 644 root root
  sharedscripts
  postrotate
    /usr/sbin/service nginx reopenlogs >/dev/null 2>&1 || true
  endscript
}

Steps to Reproduce the Issue:

1. ModSecurity configuration adhering to recommendations.
2. Logrotate configuration added in /etc/logrotate.d/modsec.

Expected Behavior:

Logs should be correctly rotated into the modsec_audit.log file with the proper rotation suffix.

Observed Behavior:
Logs are written to the modsec_audit.log.1 file after the first rotation, and subsequent logs are appended to the modsec_audit.log.1 file.

Environment:

Operating System: linux ubuntu 20.04
ModSecurity Version: V3
Logrotate Version: 3.14.0

Your assistance in addressing this matter and providing guidance or a fix would be greatly appreciated. Thank you!

[airween]

Hi @gabinheylen,

thank you for your report.

I'm really sorry to say but I'm afraid the problem that you're facing is a know problem, and unfortunately there is no solution yet. If I'm right, the issue #1968 discusses the issue. That references another issue under ModSecurity-nginx, namely #121. Please try to review it, may be you can find some help.

Please share your experiences with us.

[airween]

@gabinheylen ping.