Announcement

Collapse
No announcement yet.

Inotify and a huge logfile [not in log-rotation]

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Inotify and a huge logfile [not in log-rotation]

    Hi All,

    A few weeks ago we had some servers going really slow in response, a real weird behaviour never seen, as I have been using the same sort of configuration as on the previous cPanel servers [Maldet and Inotify] I was not sure what was causing it, with help from John d2d4j and Interworx we found that the inotify log file has become huge on 2 servers they where each 14GB and 16GB. Once the log file was deleted all was back at full speed, it seems that the Maldet and inotify where not in the log rotation process, so this is what I did to have the inotify log file rotating.

    I added in etc/logrotade.d a file for maldet/inotify to rotate the 3 log files:

    nano /etc/logrotate.d/maldet
    /usr/local/maldetect/logs/event_log
    /usr/local/maldetect/logs/clamscan_log {
    weekly
    rotate 4
    size=100M
    missingok
    notifempty
    compress
    delaycompress
    create 0644 root root
    }
    /usr/local/maldetect/logs/inotify_log {
    weekly
    rotate 4
    size=100M
    missingok
    notifempty
    compress
    delaycompress
    create 0640 root root
    postrotate
    /bin/systemctl condrestart maldet.service > /dev/null 2>/dev/null || true
    endscript
    }

    Save and with below commands you can check if all works fine.

    #
    # Test - Debug and run logrotate.
    #
    logrotate -d -f /etc/logrotate.d/maldet
    #
    # -d is with debug, check if you see something not right!
    #
    logrotate -f /etc/logrotate.d/maldet
    #
    # -f is run forced, check the /usr/local/maldetect/logs folder to find the rotate files and see if the inotify_log is growing
    #

    This little script checks those 3 logfiles and rotate them weekly, keeps 4 of each log file versions in case you want to check something later and restarts maldet to make sure the logging starts again after the logrotation.

    Sadly we have been hit by several storms and I had not much time to put it up, but I hope it will help some one in time.

    Nico
Working...
X