问题
I added two scripts in "logrotate.d" directory for my application logs to be rotated. This is the config for one of them:
<myLogFilePath> {
compress
copytruncate
delaycompress
dateext
missingok
notifempty
daily
rotate 30
}
There is a "logrotate" script in "cron.daily" directory (which seems to be running daily as per cron logs):
#!/bin/sh
echo "logrotate_test" >>/tmp/logrotate_test
#/usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1
/usr/sbin/logrotate -v /etc/logrotate.conf &>>/root/logrotate_error
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0
The first echo statement is working.
But I find my application logs alone are not getting rotated, whereas other logs like httpd are getting rotated **
**And I also don't see any output in the mentioned "logrotate_error" file (has write permission for all users).
However the syslog says: "logrotate: ALERT exited abnormally with [1]"
But when I run the same "logrotate" in "cron.daily" script manually, everything seems working fine.
Why is it not rotating during daily cron schedule? Am I doing something wrong here?
It would be great if I get this much needed help.
UPDATED: It looks like, it's because of selinux - the log files in my user home directory has restrictions imposed by selinux and the when logrotate script is run:
SELinux is preventing /usr/sbin/logrotate from getattr access on the file /home/user/logs/application.log
回答1:
SELinux was restricting the access to logrotate on log files in directories which does not have the required SELinux file context type. "/var/log" directory has "var_log_t" file context, and logrotate was able to do the needful. So the solution was to set this on my application log files and it's parent directory:
semanage fcontext -a -t var_log_t <directory/logfile>
restorecon -v <directory/logfile>
回答2:
I had a similar problem. To resolve this, I first checked the status of SELinux using the sestatus command:
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Then, check the SELinux security context applied to files and directories using ls --scontext. Check the files you want logrotate to operate on, and check files that are working, such as /var/log/maillog:
# ls --scontext /var/log/maillog*
system_u:object_r:var_log_t:s0 /var/log/maillog
system_u:object_r:var_log_t:s0 /var/log/maillog-20140713
system_u:object_r:var_log_t:s0 /var/log/maillog-20140720
system_u:object_r:var_log_t:s0 /var/log/maillog-20140727
system_u:object_r:var_log_t:s0 /var/log/maillog-20140803
Use semanage to change the file context.
semanage fcontext -a -t var_log_t <directory/logfile>
restorecon -v <directory/logfile>
回答3:
Just to generalize the above and make sure same SELinux context is properly set for all future files:
semanage fcontext -a -t var_log_t "<directory>(/.*)?"
restorecon -v <directory>
回答4:
SELinux is preventing /usr/sbin/logrotate from read access on the directory sites.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that logrotate should be allowed read access on the sites directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access.
Do
allow this access for now by executing:# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
回答5:
I've recently encountered a similar SELinux-related issue with logrotate
not operating on files as expected, which occurred when the logs to be rotated were on an NFS share.
In this case setting the logrotate_use_nfs
seboolean seemed to fix the problem, e.g.
$ setsebool logrotate_use_nfs 1
$ getsebool logrotate_use_nfs
logrotate_use_nfs --> on
回答6:
I have seen this issue with SELINUX disabled and this was because the parent directory of log file being rotated has global write-permission which is not welcomed by logrotate
error: skipping "/xxx/yyy/log/logfile.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
chmod the parent directory to 755 solved the issue
# logrotate --version
logrotate 3.8.6
来源:https://stackoverflow.com/questions/15652654/logrotate-cron-job-not-rotating-certain-logs