EDR: Nginx access.log no longer rolling over and utilizing excessive disk space
book
Article ID: 284980
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
/var/log/cb/nginx/access.log has not rolled over for months and is several GB in size
There is an access.log*.gz that matches the same name as an unzipped file. Both files are old
Manually running job-runner job to roll over logs throws error in /var/log/cb/job-runner/job-runner.log about the .gz already existing
Environment
EDR Server: All Versions
Linux: All Supported Versions
Cause
The original file was not properly deleted for some reason and the rollover script keeps failing. This has also been observed with other log files but not as frequently as with the nginx access log.
Resolution
Delete the old gz and related file with the same name in /var/log/cb/nginx
Ex. access.log-20210816.1629086402 and access.log-20210816.1629086402.gz
If running the script above doesn't work or stops on a specific line in the /var/lib/logrotate/logrotate.status file. It may be helpful to backup/remove the /var/lib/logrotate/logrotate.status file and then attempt to re-run the logrotate script mentioned above.