mod_security hits not showing up in WHM

harrisj

Registered
Oct 10, 2005
3
0
151
For some reason or another, mod_security hits aren't showing up in the WHM after a certain day. They do however show up in the audit_log. Anybody have any insight?
 

chae

Well-Known Member
Apr 19, 2003
145
0
166
Auckland, New Zealand
I can confirm this also, all our servers stopped showing WHM mod_security logs yet LSF can still read the log files as we can via shell. Log reports in WHM seemed to have stopped logging at different dates on each server.
 

DReade83

Well-Known Member
Oct 20, 2006
196
0
166
Cheshire, UK
I had the same issue not so long ago. Had to log a ticket with cPanel Support to get it fixed.

At first they suggested un- and re-installing mod_security via the Plugins option in WHM. That didn't work, so I then received the following reply:

Code:
Hello,

This should be working now.  For some reason the installer was not moving modsecparse.pl to /usr/local/cpanel/addons and adding the root cron to call this command every hour.  This script is what dumps the logs into the WHM Manager >> ModSecurity part.

Please confirm how this is working for you.  Thank you.
--
Kyle Pinkley
Technical Support
cPanel
This resolved the issue and it's been working ever since.

I can confirm though ever since the upgrade to cPanel 11, this issue has been present!
 

chae

Well-Known Member
Apr 19, 2003
145
0
166
Auckland, New Zealand
Ours all stopped working on version 10, even with the upgrade to 11 last week it still hasn't worked.

# locate modsecparse.pl
/usr/local/cpanel/modules-install/modsecurity-Linux-i686/modsecparse.pl
/etc/cron.hourly/modsecparse.pl
#

Even if we call the script directly the logs never update !!! May have to get support to look into it
 

Freezer

Well-Known Member
Jun 13, 2005
120
0
166
Den Haag
Ours all stopped working on version 10, even with the upgrade to 11 last week it still hasn't worked.

# locate modsecparse.pl
/usr/local/cpanel/modules-install/modsecurity-Linux-i686/modsecparse.pl
/etc/cron.hourly/modsecparse.pl
#

Even if we call the script directly the logs never update !!! May have to get support to look into it
Please submit a ticket about this to get it fixed.
 

BlackRain

Well-Known Member
May 28, 2003
51
0
156
USA
cPanel Access Level
Root Administrator
I can confirm that our Mod Security logs have also stopped updating in WHM. Mod security logs are viewable but don't show in WHM.

Reinstalled Mod Security did not fix the problem. Currently running WHM 11.2.0 cPanel 11.8.0-C15921

Confirmed modsecparse.pl does not appear in /usr/local/cpanel/addons
 
Last edited:

fenixer

Well-Known Member
Feb 23, 2007
92
0
156
Just the same here......

[email protected] [/usr/local/cpanel/addons]# locate modsecparse.pl
/etc/cron.hourly/modsecparse.pl
/usr/local/cpanel/modules-install/modsecurity-Linux-i686/modsecparse.pl
I can exec /etc/cron.hourly/modsecparse.pl with success and no errors....... but WHM modsec logs keeps frozen, so I realize the /etc/cron.hourly/modsecparse.pl is not doing nothing at all, although audit_log is correct and the privileges are also correct as well as the db config...

Anyone reported a bug into bugzilla??? because we are several users with exactly the same problem...
 

Danny_T

Well-Known Member
Jul 19, 2005
181
0
166
Netherlands
We got that problem too.

[email protected] [~]# /etc/cron.hourly/modsecparse.pl
[email protected] [~]# /usr/local/cpanel/addons/modsecparse.pl
DBI connect('modsec:localhost','modsec',...) failed: Access denied for user 'modsec'@'localhost' (using password: NO) at /usr/local/cpanel/addons/modsecparse.pl line 18
[email protected] [~]#
 
Last edited:

fenixer

Well-Known Member
Feb 23, 2007
92
0
156
Ok......... mmmmmmmmmmmm

It seems like modsecparse.pl is doing well, since I go into phpmyadmin to check database MODSEC.........

The logs there are quite updated.... the data is constantly introduced into Mysql db modsec....

So the question is: ¿why WHM does not show the new data?

I went to phpmyadmin again and just truncated the database keeping estructure.....

I have done some 403 errors, and exec manually modsecparse.pl.......... now the data was imported into database and showed great at WHM...... so........

¿was the database corrupted or something similar? ¿is really the sollution truncating modsec database after the last updates of Cpanel?
 

fenixer

Well-Known Member
Feb 23, 2007
92
0
156
Well I guess finally the problem is located at the:
https://myserver:2087/cgi/addon_modsec.cgi

The cgi is quite awful, since is not showing the modsec database records in a logical order (the last one is the first you see, obviously)

I thought the system was not running ok, but if I search for a new record (the last one) placed at modsec database, by example by IP, the WHM shows it to me....

The modsecparse.pl is running ok (introducing new data at database modsec) and the database is also alright.... it seems like the problems are located at addon_modsec.cgi of WHM

Can you confirm?
 
Last edited:

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
Well I guess finally the problem is located at the:
https://myserver:2087/cgi/addon_modsec.cgi

The cgi is quite awful, since is not showing the modsec database records in a logical order (the last one is the first you see, obviously)

I thought the system was not running ok, but if I search for a new record (the last one) placed at modsec database, by example by IP, the WHM shows it to me....

The modsecparse.pl is running ok (introducing new data at database modsec) and the database is also alright.... it seems like the problems are located at addon_modsec.cgi of WHM

Can you confirm?
I can confirm that .. look at http://forums.cpanel.net/showthread.php?t=66756
 

karlos

Member
Oct 1, 2003
17
0
151
Hello,

I had the same problem and after submit a ticket seems like the problem is in

/usr/local/cpanel/whostmgr/docroot/cgi/addon_modsec.cgi

to fix the error remove the id field quotes in the query

$querystmnt = q{1 ORDER BY 'id' DESC LIMIT 0,30};

just like this

$querystmnt = q{1 ORDER BY id DESC LIMIT 0,30};


This work for me.

Karlos
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
Hello,

I had the same problem and after submit a ticket seems like the problem is in

/usr/local/cpanel/whostmgr/docroot/cgi/addon_modsec.cgi

to fix the error remove the id field quotes in the query

$querystmnt = q{1 ORDER BY 'id' DESC LIMIT 0,30};

just like this

$querystmnt = q{1 ORDER BY id DESC LIMIT 0,30};


This work for me.

Karlos
This is fixing mine too... thanks karlos :D
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
thanx Karlos

solves mine too.

thanx Karlos

how about having thread title starting with [SOLVED]
it will help other people looking for it. :D

mohit
 

bsasninja

Well-Known Member
Sep 2, 2004
527
0
166
fixed, cpanel should correct the ' ' comma issue in the next updates for addon_modsec.cgi