Apache and logrotate configuration

apacheApache2logrotateUbuntu

Last week I found a problem on my server, because the disk usage was 100%, and I found out apache had created a huge error.log file of 60GB. I changed then the LogLevel to emerg, but after one week, it is again 1.3GB which is definitely too much.

Moreover, I have an access.log of 6MB and an other_vhosts_access.log of 167MB. So I found out that the problem could be logrotate not working.
Actually the gzipped files of the logs have a very old date (23rd February).

So I tried first to change the configuration of the logrotate file for apache2, adding a max size for the file, looking now like this:

/var/log/apache2/*.log {
    weekly
    size 500M
    missingok
    rotate 20
    compress
    delaycompress
    notifempty
    create 640 root adm
    sharedscripts
    postrotate
                if /etc/init.d/apache2 status > /dev/null ; then \
                    /etc/init.d/apache2 reload > /dev/null; \
                fi;
    endscript
    prerotate
        if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
            run-parts /etc/logrotate.d/httpd-prerotate; \
        fi; \
    endscript
}

After this I tried manually to force logrotate to run a specific configuration for apache with

logrotate -f /etc/logrotate.d/apache2

and I got this error:

error: skipping "/var/log/apache2/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/apache2/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/apache2/other_vhosts_access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

The strange thing is that in some way it run the rotation, creating an empty error.log file, but with different permissions from the old one, and not compressing the existing error.log.

Looking at apache log directory, it looks now like this:

-rwxrwxrwx  1 root           adm            6.3M Oct 21 10:54 access.log
-rwxrwxrwx  1 root           adm             22K Feb 18  2014 access.log.1
-rwxrwxrwx  1 root           adm            7.0K Feb 16  2014 access.log.2.gz
-rwxrwxrwx  1 root           adm            4.0K Feb  9  2014 access.log.3.gz
-rw-------  1 amministratore amministratore    0 Oct 21 10:32 error.log
-rw-r--r--  1 root           root           1.3G Oct 21 10:57 error.log.1
-rwxrwxrwx  1 root           adm            167M Oct 21 10:57 other_vhosts_access.log
-rwxrwxrwx  1 root           adm            225K Feb 23  2014 other_vhosts_access.log.1
-rwxrwxrwx  1 root           adm             16K Feb 15  2014 other_vhosts_access.log.2.gz
-rwxrwxrwx  1 root           adm            3.2K Feb  8  2014 other_vhosts_access.log.3.gz

So what is the right way to proceed?

Should I change the permissions of the /var/log/apache2 directory? (which is now 777) I didn't set these permissions and I don't know if it is correct.

Or should I tell logrotate which user to use for rotation? And how?

Best Answer

just add su root adm to the config file:

/var/log/apache2/*.log {
    # …
    su root adm
}
Related Topic