Log Rotation does not seem to be working CentOS4.5

Support for security such as Firewalls and securing linux
Post Reply
JasonKretzer
Posts: 1
Joined: 2007/06/20 12:15:13

Log Rotation does not seem to be working CentOS4.5

Post by JasonKretzer » 2007/06/20 12:23:27

Hey Gang,

Another day, another issue...

for some reason the log file for snort

/var/log/snort/alert

is not getting rotated daily. It is just getting
bigger and bigger. I have taken a look at the
logrotate services and it should be rotating properly.
Anyone have any ideas here? I am attaching the
appropriate logrotate config files below. Let me know if you need more information.

Thanks,

-Jason


============================================
# /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this
directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
============================================


============================================
# /etc/logrotate.d/snort
# $Id$

/var/log/snort/alert /var/log/snort/*log
/var/log/snort/*/alert /var/log/snort/*/*log {
daily
rotate 7
compress
missingok
notifempty
create 0640 snort adm
sharedscripts
postrotate
/etc/init.d/snortd restart 1>/dev/null || true
endscript
}
============================================

Anything I am missing here?

K_Frye
Posts: 425
Joined: 2005/07/13 01:48:35
Location: Canada

Re: Log Rotation does not seem to be working CentOS4.5

Post by K_Frye » 2007/06/25 15:39:15

[quote]
JasonKretzer wrote:
Hey Gang,

Another day, another issue...

for some reason the log file for snort

/var/log/snort/alert

is not getting rotated daily. It is just getting
bigger and bigger. I have taken a look at the
logrotate services and it should be rotating properly.
Anyone have any ideas here? I am attaching the
appropriate logrotate config files below. Let me know if you need more information.[/quote]

Log rotation has been broken in RHEL for awhile. Is /tmp mounted noexec in your /etc/fstab ?

I had to modify my /etc/cron.daily/logrotate file and redefine TMPDIR in order to allow -HUP in the various prerotate/postrotate routines.

Be sure to backup your existing logrotate file and keep in mind that future CentOS updates may require you to re-do these steps. Make sure you restart syslog after making the change.

[code]
#!/bin/sh
if [ ! -d /var/tmp/logrotate ]; then
mkdir /var/tmp/logrotate
fi
TMPDIR=/var/tmp/logrotate
export TMPDIR
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
rm -Rf /var/tmp/logrotate
exit 0
[/code]

Post Reply

Return to “CentOS 4 - Security Support”