Knowledge Base

ModSecurity log /var/log/modsec_audit.log on Plesk server does not rotate properly

Symptoms

The /var/log/modsec_audit.log file does not rotate properly.

As a result, it affects free disk space.

Cause

The /etc/logrotate.d/mod_security log rotation script is missing or corrupted.

Resolution

Connect to the server via SSH.
Check if the /etc/logrotate.d/mod_security log rotation script file exists and have the correct permissions:

# stat /etc/logrotate.d/mod_security | grep “Access: (“

Access: (0644/-rw-r–r–) Uid: ( 0/ root) Gid: ( 0/ root)
In case the /etc/logrotate.d/mod_security file is missing, create it with the following content:

# vi /etc/logrotate.d/mod_security

/var/log/modsec_audit.log {
daily
rotate 7
missingok
compress
postrotate
/sbin/service httpd reload > /dev/null 2>/dev/null || true
endscript
}
Set proper permissions to the /etc/logrotate.d/mod_security file:

# chmod 0644 /etc/logrotate.d/mod_security

Additional information

CentOS 6 only:

The /etc/logrotate.d/mod_security file is removed by ModSecurity itself (Plesk does not perform such action) after switching the Web application firewall mode directive under Tools & Settings > Web Application Firewall (ModSecurity) to Detection only or On mode at the first time right after the module installation.

The manually created /etc/logrotate.d/mod_security file will not be removed after further switchings Web application firewall mode directive to any mode.

Related Posts

CentOS Project Announces Early End-of-Life Date for CentOS 8

How to Install and Configure CSF

Manage and Sign Documents on your Plesk Server with cloudplan

Knowledge Base

Unable to start Apache on a Plesk server: No matches for the wildcard ‘*.conf’ in

Unable to upload file to the website: Request body no files data length is larger than the configured limit

How to enable gzip compression in Apache on Plesk server?

How to configure the passive ports range for ProFTPd on a Plesk server behind a firewall

Hosting Wiki