4

I noticed a suspicious behaviour of my auth.log. For some reason it is getting rotated multiple times everytime it should rotate.

2014-06-15 06:25:06,102 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-06-15 06:25:06,102 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-06-15 06:25:20,117 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-06-15 06:25:20,117 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log

/etc/logrotate.d/syslog-ng

/var/log/auth.log
{
    rotate 4
    weekly
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
            invoke-rc.d syslog-ng reload > /dev/null
    endscript
}

I checked old logs and found out this started a few months ago.
What is going wrong there?

Möhre
  • 229
  • 1
  • 11
  • Please show your logrotate conf for your auth.log. – deagh Jun 25 '14 at 09:44
  • we would need to see the logrotate config for auth.log to be able to help. – user9517 Jun 25 '14 at 09:44
  • @Iain do you really need to down vote half of all the new questions? I noted that on almost 3/4th of all new questions that have -1 or more, I see your name on the page. Not the first time your name is related to a down vote, so I'm suspecting you do this all the time. StackExchange is for asking and giving support. – Sander Schaeffer Jun 25 '14 at 11:07
  • @SanderSchaeffer like everyone else I am free to vote as I see fit. – user9517 Jun 25 '14 at 11:13
  • i added the logrotate's config lines for auth.log – Möhre Jun 26 '14 at 09:24

2 Answers2

0
  1. Run logrotate in debug and maybe force mode to check what configs and how much times gets rotated. Maybe several logrotate configs try to rotate auth.log.
  2. Then check your cron log, how many times logrotate was called. Maybe some cron config was duplicated and calls logrotate several times.
Kazimieras Aliulis
  • 2,324
  • 2
  • 26
  • 46
  • I checked that and fixed some other bugs and checked again. It is called just once, also auth.log is only rotated once – Möhre Jul 01 '14 at 13:47
0

This is caused by having multiple filters in fail2ban monitoring the same log for different failregex combinations...Example your filters for apache, badbots, and wordpress...

Find your jail file and run the following command: grep "/var/log/auth" jail.local

or something similar, it should show you three instances.

Matt
  • 1
  • I checked this, but it's always the count of filters +1. I got 2 active filters using ``auth.log``, but get 3 rotates atm. If I enable another one, it's getting rotated 4 times. So where's the hidden one? =) – Möhre Jan 14 '16 at 23:51