How to fix issue with log rotation [Kaspersky Web Traffic Security]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Issue:

Some log files in KWTS take up a lot of disk space. Log rotation for these files does not work

For example:

 

Information

Information about logs sizing and rotation you can find in files in /etc/logrotate.d folder on the KWTS server.

The size of log files should be no more than:

Log file	In what file it described	Size of a log file should be no more than:
All files in /var/log/kaspersky/kwts/extra/	/etc/logrotate.d/kwts	100 MB
/var/log/kwts-messages	/etc/logrotate.d/kwts-syslog	500 MB
/var/log/kwts-important	/etc/logrotate.d/kwts-syslog	50 MB
/var/log/kwts-traces	/etc/logrotate.d/kwts-syslog	500 MB
/var/log/nginx/access.log	/etc/logrotate.d/nginx	100 MB
/var/log/nginx/error.log	/etc/logrotate.d/nginx	20 MB
/var/log/squid/icap.log	/etc/logrotate.d/squid	100 MB
/var/log/squid/ssl.log	/etc/logrotate.d/squid	100 MB
/var/log/squid/squid.out	/etc/logrotate.d/squid	10 MB
/var/log/squid/cache.log	/etc/logrotate.d/squid	500 MB
/var/log/squid/access.log	/etc/logrotate.d/squid	500 MB
/var/log/messages	/etc/logrotate.d/syslog	100 MB
/var/log/cron	/etc/logrotate.d/syslog	10 MB
/var/log/maillog	/etc/logrotate.d/syslog	10 MB
/var/log/secure	/etc/logrotate.d/syslog	20 MB
/var/log/spooler	/etc/logrotate.d/syslog	1MB

 

How to fix

Actual result

kwts-traces log-file has frown to 4 GB:

Expected result

kwts-traces file no more than 500 mb

How to fix 

1. Be prepared that you will need to reboot the server and it will not process traffic while it is rebooting. And you need ssh-access to the KWTS server - https://support.kaspersky.com/KWTS/6.1/en-US/183526.htm
2. Make sure that trace lever is in "Error" mode - https://support.kaspersky.com/KWTS/6.1/en-US/174877.htm
3. Delete the largest log-files (in our case it is /var/log/kwts-traces) . 
4. If you need to clear additional disk space, you can delete large archive files if you are sure that you do not need the information in them
5. Reboot the KWTS server and make sure that the deleted large files (/var/log/kwts-traces) are recreated 
6. Find out in table above in what file we can find information about kwts-traces rotation . It is kwts-syslog
7. Execute following command
   logrotate -f -v /etc/logrotate.d/kwts-syslog &> logrotatef.log
8. Make sure that all log-files which described in /etc/logrotate.d/kwts-syslog file were rotated. (You can see which log files are described in this file in the table above)

What's next

Kindly monitor that previously broken files (kwts-traces) do not exceed 500-600 MB. If it continues to grow and is already 700 MB or more, then  run the command

/usr/sbin/logrotate -v -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf &> logrotatestatus.log

And send logrotatef.log file from step 6 and logrotatestatus.log file to Kaspersky Support.

And also send diagnostic info in "Debug" level. Do not forget to change it back to "Error" level - https://support.kaspersky.com/KWTS/6.1/en-US/174877.htm