Logrotate functionality not working
search cancel

Logrotate functionality not working

book

Article ID: 439908

calendar_today

Updated On:

Products

VMware Telco Cloud Automation VMware Telco Cloud Platform

Issue/Introduction

  • The logrotate.service systemd unit fails to start on a TCA node and shows the following status:

    × logrotate.service - Rotate log files
    Loaded: loaded (/usr/lib/systemd/system/logrotate.service; static)
    Active: failed (Result: exit-code) since Tue 2026-05-12 09:00:58 UTC
    TriggeredBy: ● logrotate.timer
    Process: ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=1/FAILURE)
     
  • Running logrotate --debug /etc/logrotate.conf produces one or more of the following errors:

    error: failed to open config file syslog: Permission denied
    error: found error in file syslog, skipping
    error: skipping "/var/log/vmware/capengine/core-engine.log" because parent directory has
    insecure permissions (It's world writable or writable by group which is not "root")
    error: skipping "/var/log/vmware/capengine/workflow-manager-http.log" because parent directory
    has insecure permissions (It's world writable or writable by group which is not "root")
    error: skipping "/var/log/vmware/messages" because parent directory has insecure permissions
     (It's world writable or writable by group which is not "root")
     
  • /var/log/messages file grows until the partition is 100% full

Environment

TCA 3.4
TCP 5.1

Cause

Two misconfigurations are introduced during TCA node deployment:

  1. /etc/logrotate.d/syslog has incorrect file permissions (600 instead of 644)

    The syslog logrotate config file is created with owner-only read permissions. logrotate cannot open this file when running under its systemd service context and exits immediately with error code 1. All other config files in /etc/logrotate.d/ are correctly set to 644.

    -rw------- 1 root root 915 /etc/logrotate.d/syslog ← wrong: 600
    -rw-r--r-- 1 root root 516 /etc/logrotate.d/cap-update-service.lr
    -rw-r--r-- 1 root root 198 /etc/logrotate.d/cap-workflow-engine.lr
     
  2. /var/log/vmware/ and its subdirectories have world-writable permissions (0707)

    The VMware log directories are created during deployment with permissions drwx---rwx (0707). logrotate enforces a security check that refuses to rotate any log files inside a world-writable parent directory. This causes it to skip all VMware CAP engine logs and exit with error code 1.

    Access: (0707/drwx---rwx) /var/log/vmware/
    Access: (0707/drwx---rwx) /var/log/vmware/capengine/

Resolution

Perform the following steps on each affected TCA node as root.

 

  1. Confirm the issue:

    ls -la /etc/logrotate.d/syslog
    stat /var/log/vmware | grep -E "File:|Access:"

    Broken state shows 600 permissions on syslog and 0707 on the vmware directory (or its symlink target).
     
  2. Fix the syslog config file permissions:

    chmod 644 /etc/logrotate.d/syslog
     
  3. Fix the log directory permissions:

    Determine whether /var/log/vmware is a real directory or a symlink:

    stat /var/log/vmware
     
    • If it is a real directory (Access: (0707/drwx---rwx)) run below:

      chmod 755 /var/log/vmware/ /var/log/vmware/capengine/ /var/log/vmware/agent/ /var/log/vmware/tca/
       
    • If it is a symlink (output shows symbolic link and -> /logs/vmware) run below:

      chmod 755 /logs/vmware/ /logs/vmware/capengine/ /logs/vmware/agent/ /logs/vmware/tca/
       
  4. Make the permission fix persistent across reboots (This is optional step if the fix was not retained after the system reboot):
     
    • If /var/log/vmware is a real directory, run below:

      cat > /etc/tmpfiles.d/vmware-logdir.conf << 'EOF'
      d /var/log/vmware 0755 root root -
      d /var/log/vmware/capengine 0755 root root -
      d /var/log/vmware/agent 0755 root root -
      d /var/log/vmware/tca 0755 root root -
      EOF
      systemd-tmpfiles --create /etc/tmpfiles.d/vmware-logdir.conf
       
    • If /var/log/vmware is a symlink to /logs/vmware, run below:

      cat > /etc/tmpfiles.d/vmware-logdir.conf << 'EOF'
      d /logs/vmware 0755 root root -
      d /logs/vmware/capengine 0755 root root -
      d /logs/vmware/agent 0755 root root -
      d /logs/vmware/tca 0755 root root -
      EOF
      systemd-tmpfiles --create /etc/tmpfiles.d/vmware-logdir.conf

  5. Verify the rule applied without errors:

    echo $?
    stat /var/log/vmware/ | grep Access

    Expected: exit code 0 and Access: (0755/drwxr-xr-x).
     
  6. Verify and restart the service:

    logrotate -v /etc/logrotate.conf 2>&1 | grep -iE "error|skipping"
    systemctl restart logrotate && systemctl status logrotate

    Expected output confirms the service completes successfully:

    Process: ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=0/SUCCESS)
    systemd[1]: Finished Rotate log files.

    The inactive (dead) active state is expected — logrotate is a oneshot service triggered by logrotate.timer and does not run as a persistent daemon.

Additional Information

Remaining skipping lines in the logrotate verbose output after applying the fix — for example:

log /var/log/warn does not exist -- skipping
log /var/log/mail does not exist -- skipping
log /var/log/vmware/messages does not exist -- skipping

These are not errors. They indicate log files that are referenced in the syslog config but have not been created on this node because the corresponding services (mail, syslog forwarding) are not active.

Powered by Wolken Software