EDR: Nginx access.log no longer rolling over and utilizing excessive disk space
search cancel

EDR: Nginx access.log no longer rolling over and utilizing excessive disk space

book

Article ID: 284980

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • /var/log/cb/nginx/access.log has not rolled over for months and is several GB in size
  • There is an access.log*.gz that matches the same name as an unzipped file. Both files are old
  • Manually running job-runner job to roll over logs throws error in /var/log/cb/job-runner/job-runner.log about the .gz already existing

Environment

  • EDR Server: All Versions
  • Linux: All Supported Versions

Cause

The original file was not properly deleted for some reason and the rollover script keeps failing.  This has also been observed with other log files but not as frequently as with the nginx access log.

Resolution

  1. Delete the old gz and related file with the same name in /var/log/cb/nginx 
    • Ex. access.log-20210816.1629086402 and access.log-20210816.1629086402.gz
  2. Run the rollover job
    • sudo /usr/sbin/logrotate /etc/cb/cb-logrotate.conf

Additional Information

  • If running the script above doesn't work or stops on a specific line in the /var/lib/logrotate/logrotate.status file.  It may be helpful to backup/remove the /var/lib/logrotate/logrotate.status file and then attempt to re-run the logrotate script mentioned above.