Nginx SSL access logs not rotated according to GUI settings -- fail2ban suffers

[G J Piper]

TITLE:

Nginx SSL access logs not rotated according to GUI settings -- fail2ban suffers​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Plesk Onyx 17.5.3 mu#20
CentOS 6.9 (final)
Nginx as a reverse-proxy​

PROBLEM DESCRIPTION:

The log-rotation settings file for each domain, as set in the GUI, is found here:
/usr/local/psa/etc/logrotate.d/domain.ext

It contains this group of settings, which are configurable in the GUI, mostly:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
/var/www/vhosts/system/domain.ext/logs/*.processed {
size=5120000
rotate 10
compress
missingok
}
/var/www/vhosts/system/domain.ext/logs/error_log {
size=5120000
rotate 10
compress
missingok
copytruncate
}
/var/www/vhosts/system/domain.ext/logs/proxy_error_log {
size=5120000
rotate 10
compress
missingok
copytruncate
}

However, all the domains also write to this other log file, which can grow unchecked:
/var/www/vhosts/system/domain.ext/logs/proxy_access_ssl_log

We need this fixed. This is causing huge nginx SSL access log files that eventually crash fail2ban.

Shouldn't these domain-specific settings files also contain this?:

/var/www/vhosts/system/domain.ext/logs/proxy_access_ssl_log {
size=5120000
rotate 10
compress
missingok
copytruncate
}

See screenshot of logs:

​

STEPS TO REPRODUCE:

Observe the subscription nginx SSL access log file over a 24-hour period to see it grows way beyond the log settings set in the GUI for the domain subscription.​

ACTUAL RESULT:

Log file is allowed to grow unchecked except for log-rotation every 24-hours or so.​

EXPECTED RESULT:

Log file should be rotated along with all the other log files according to subscription log settings.​

ANY ADDITIONAL INFORMATION:

​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[G J Piper]

Another note:
The settings the GUI creates sets "size=1234567" (example number) but the correct format is "size 12345".

Also, it shouldn't really be "size 123456" anyway... since you are given the choice of "by size" or "by time" in the GUI, the "maxsize 12345" should be used instead.

"size 12345" only modifies a "by time" setting.. allowing it to rotate on a time period only if over the size selected.
"maxsize 12345" forces the log to rotate at a given size regardless of the time period, which is what you want.

 

[G J Piper]

I can verify that things start working properly when the /usr/local/psa/etc/logrotate.d/domain.ext log settings file is properly set up like this:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
/var/www/vhosts/system/domain.ext/logs/*.processed {
maxsize 4096000
rotate 3
compress
missingok
copytruncate
maxage 90
}
/var/www/vhosts/system/domain.ext/logs/error_log {
maxsize 4096000
rotate 3
compress
missingok
copytruncate
maxage 90
}
/var/www/vhosts/system/domain.ext/logs/proxy_error_log {
maxsize 4096000
rotate 3
compress
missingok
copytruncate
maxage 90
}

/var/www/vhosts/system/domain.ext/logs/proxy_access_ssl_log {
maxsize 4096000
rotate 3
compress
missingok
copytruncate
maxage 90
}


(adding the maxage 90 removes log files that remain at zero-length for more than 90 days)

In fact, after extensive testing on my server, it looks like you could simplify the GUI-generated settings for each domain by using just this, covering all the log files each domain uses:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
/var/www/vhosts/system/domain.ext/logs/*.processed {
maxsize 512000
rotate 5
compress
missingok
copytruncate
maxage 90
}
/var/www/vhosts/system/domain.ext/logs/*_log {
maxsize 512000
rotate 5
compress
missingok
copytruncate
maxage 90
}

 

[Zardiw]

So do you just modify that file as you said?........I thought it was generated and your changes would be lost?

z

 

[G J Piper]

So do you just modify that file as you said?........I thought it was generated and your changes would be lost?

Yes, I just modified the file manually:
This file: /usr/local/psa/etc/logrotate.d/domain.ext
gets this:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
/var/www/vhosts/system/domain.ext/logs/*.processed {
maxsize 512000
rotate 5
compress
missingok
copytruncate
maxage 90
}
/var/www/vhosts/system/domain.ext/logs/*_log {
maxsize 512000
rotate 5
compress
missingok
copytruncate
maxage 90
}

Unfortunately you are correct that my changes will be overwritten if I do anything in that setting in the GUI, or if Plesk rebuilds its settings files in an upgrade. This is why it needs to be addressed by the Plesk Admins and hopefully added as a fix to this issue.