Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Problems with permissions for logrotate

Tags:

logrotate

I'm writing my own logrotate configuration for some web application:

/home/me/public_html/logs/*.log {
    daily
    missingok
    rotate 15
    compress
    delaycompress
    notifempty
    create 0660 me www-data
    nosharedscripts
}

But running logrotate for these files results in:

$ sudo logrotate -d -v *.log
Ignoring logfile1.log because of bad file mode.
Ignoring logfile2.log because of bad file mode.
Ignoring otherlogfile.log because of bad file mode.

Handling 0 logs
$ ls -l
-rw-rw---- 1 me www-data  893584 Jan 27 16:01 logfile1.log
-rw-rw---- 1 me www-data  395011 Jan 27 16:01 logfile2.log
-rw-rw---- 1 me www-data 4949115 Jan 27 16:01 otherlogfile.log

Is this related to the file permissions of the actual logfiles in the directory of to the permissions specified with create 0660 me www-data?

If I change the filepermissions to -rw-r----- and the create line to

create 0640 me www-data

I get

$ sudo logrotate -d -v *.log
Ignoring logfile1.log because the file owner is wrong (should be root).
Ignoring logfile2.log because the file owner is wrong (should be root).
Ignoring otherlogfile.log because the file owner is wrong (should be root).

Handling 0 logs

My system is a debian testing/jessie.

like image 430
white_gecko Avatar asked Jan 30 '15 10:01

white_gecko


People also ask

Does logrotate need cron?

You CAN run logrotate manually WITHOUT cron. However if you want to run logrotate on a scheduled basis, yes you will need cron. Your package manager should create a default schedule in /etc/cron. daily/logrotate that runs logrotate with the default /etc/logrotate.

How do you verify logrotate?

To verify if a particular log is indeed rotating or not and to check the last date and time of its rotation, check the /var/lib/logrotate/status file. This is a neatly formatted file that contains the log file name and the date on which it was last rotated. You'll find this file as /var/lib/logrotate.

What is Sharedscripts in logrotate?

The sharedscripts means that the postrotate script will only be run once (after the old logs have been compressed), not once for each log which is rotated. Note that the double quotes around the first filename at the beginning of this section allows logrotate to rotate logs with spaces in the name.

How do you run logrotate forcefully?

If you want to force Logrotate to rotate the log file when it otherwise would not have, use the --force flag: logrotate /home/sammy/logrotate. conf --state /home/sammy/logrotate-state --verbose --force.


1 Answers

Ok, stupid situation. The logrotate command has to be executed on the configuration file instead of the log file.

$ sudo logrotate -d -v /etc/logrotate.d/my-app

It seems to be important that the parent directory of the logfile is not world writable (------rw-) and not writable by any non root group (---rw----). Otherwise, you will see:

error: skipping "/home/me/public_html/logs/logfile1.log" because parent
directory has insecure permissions (It's world writable or writable by 
group which is not "root") Set "su" directive in config file to tell
logrotate which user/group should be used for rotation.
like image 195
2 revs, 2 users 95% Avatar answered Oct 27 '22 22:10

2 revs, 2 users 95%