我有一个配置文件,用于ModSecurity3日志的logrotate(在Ubuntu 22.04+Nginx Web Server上(
/etc/logrotate.d/modsec
-rw-r--r-- 1 root root 162 Nov 2 23:21 modsec
/var/log/modsec/modsec_audit.log
{
size 1M
rotate 7
missingok
compress
delaycompress
notifempty
}
这是作为一个测试设置的,每当日志增长到1M以上时,就会旋转日志。
在modsec日志目录中,我有这样的:
ubuntu@nginx:/var/log/modsec$ ls -al
drwxr-xr-x 2 root root 4096 Nov 2 23:20 .
drwxrwxr-x 13 root syslog 4096 Nov 2 23:19 ..
-rw-r--r-- 1 root root 47744907 Nov 2 23:27 modsec_audit.log
尺寸越来越大,超过1M,并且它们不旋转。我试着调试它,得到了这个:
ubuntu@nginx:/var/log/modsec$ sudo logrotate -d /etc/logrotate.d/modsec
WARNING: logrotate in debug mode does nothing except printing debug messages! Consider using verbose mode (-v) instead if this is not what you want.
reading config file /etc/logrotate.d/modsec
Reading state from file: /var/lib/logrotate/status
Allocating hash table for state file, size 64 entries
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Handling 1 logs
rotating pattern: /var/log/modsec/modsec_audit.log
1048576 bytes (7 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/modsec/modsec_audit.log
Now: 2022-11-02 23:32
Last rotated at 2022-11-02 23:20
log needs rotating
rotating log /var/log/modsec/modsec_audit.log, log->rotateCount is 7
dateext suffix '-20221102'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
previous log /var/log/modsec/modsec_audit.log.1 does not exist
renaming /var/log/modsec/modsec_audit.log.7.gz to /var/log/modsec/modsec_audit.log.8.gz (rotatecount 7, logstart 1, i 7),
renaming /var/log/modsec/modsec_audit.log.6.gz to /var/log/modsec/modsec_audit.log.7.gz (rotatecount 7, logstart 1, i 6),
renaming /var/log/modsec/modsec_audit.log.5.gz to /var/log/modsec/modsec_audit.log.6.gz (rotatecount 7, logstart 1, i 5),
renaming /var/log/modsec/modsec_audit.log.4.gz to /var/log/modsec/modsec_audit.log.5.gz (rotatecount 7, logstart 1, i 4),
renaming /var/log/modsec/modsec_audit.log.3.gz to /var/log/modsec/modsec_audit.log.4.gz (rotatecount 7, logstart 1, i 3),
renaming /var/log/modsec/modsec_audit.log.2.gz to /var/log/modsec/modsec_audit.log.3.gz (rotatecount 7, logstart 1, i 2),
renaming /var/log/modsec/modsec_audit.log.1.gz to /var/log/modsec/modsec_audit.log.2.gz (rotatecount 7, logstart 1, i 1),
renaming /var/log/modsec/modsec_audit.log.0.gz to /var/log/modsec/modsec_audit.log.1.gz (rotatecount 7, logstart 1, i 0),
log /var/log/modsec/modsec_audit.log.8.gz doesn't exist -- won't try to dispose of it
renaming /var/log/modsec/modsec_audit.log to /var/log/modsec/modsec_audit.log.1
似乎logrotate知道日志需要旋转,但它并没有自动执行。。。或者我做错了什么。我该怎么做?
目的:我的ModSecurity日志越来越大,所以最后,我想将日志数量限制在7个,每个日志不超过1GB。如果它增长得比这个大,请轮换日志并删除最旧的日志,否则每天轮换一次。
能够在查看各种来源后找到解决方案。部分问题与Spiderlab的ModSecuritiy Nginx连接器在旋转后没有写入新日志有关。这个配置文件(/etc/logrotate.d/modesec(最终起作用:
/var/log/modsec/*.log {
size 1G
missingok
rotate 7
compress
delaycompress
notifempty
copytruncate
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then
run-parts /etc/logrotate.d/httpd-prerotate;
fi
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
}
这基本上是error.log/access.log日志的默认Nginx logrotate配置的副本,并进行了一些更改。关键是要替换";创建";与";copytruncate";。这会获取modsec_audit.log,将其复制到modsec_aaudit.log.1,然后将modsec_aAudit.log截断到一个空白文件中,这样新数据就会继续写入其中。
限制文件大小的解决方案的第二部分是创建一个cronjob:
@hourly /usr/sbin/logrotate /etc/logrotate.d/modsec
这将每小时运行一次logrotate配置文件,并检查日志大小。如果日志大小小于1G,则不会发生任何事情;否则,如果日志大小大于1G,日志将旋转。如果没有cronjob,默认的logrotate配置只会每天运行(每天只检查文件大小(。这就是为什么我的日志在没有大小检查的情况下增长到20GB以上。。。