ModSecurity log /var/log/modsec_audit.log on Plesk server does not rotate properly

Symptoms

The /var/log/modsec_audit.log file does not rotate properly.

As a result, it affects free disk space.

Cause

The /etc/logrotate.d/mod_security log rotation script is missing or corrupted.

Resolution

1. Connect to the server via SSH.

2. Check if the /etc/logrotate.d/mod_security log rotation script file exists and have the correct permissions:

   # stat /etc/logrotate.d/mod_security | grep “Access: (“

   Access: (0644/-rw-r–r–) Uid: ( 0/ root) Gid: ( 0/ root)

3. In case the /etc/logrotate.d/mod_security file is missing, create it with the following content:

   # vi /etc/logrotate.d/mod_security

   /var/log/modsec_audit.log {
   daily
   rotate 7
   missingok
   compress
   postrotate
   /sbin/service httpd reload > /dev/null 2>/dev/null || true
   endscript
   }

4. Set proper permissions to the /etc/logrotate.d/mod_security file:

   # chmod 0644 /etc/logrotate.d/mod_security

Additional information

• CentOS 6 only:

  The /etc/logrotate.d/mod_security file is removed by ModSecurity itself (Plesk does not perform such action) after switching the Web application firewall mode directive under Tools & Settings > Web Application Firewall (ModSecurity) to Detection only or On mode at the first time right after the module installation.

  The manually created /etc/logrotate.d/mod_security file will not be removed after further switchings Web application firewall mode directive to any mode.