The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security hits not showing up in WHM

Discussion in 'Security' started by harrisj, Jul 18, 2007.

  1. harrisj

    harrisj Registered
    PartnerNOC

    Joined:
    Oct 10, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    For some reason or another, mod_security hits aren't showing up in the WHM after a certain day. They do however show up in the audit_log. Anybody have any insight?
     
  2. chae

    chae Well-Known Member

    Joined:
    Apr 19, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Auckland, New Zealand
    I can confirm this also, all our servers stopped showing WHM mod_security logs yet LSF can still read the log files as we can via shell. Log reports in WHM seemed to have stopped logging at different dates on each server.
     
  3. DReade83

    DReade83 Well-Known Member

    Joined:
    Oct 20, 2006
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Cheshire, UK
    I had the same issue not so long ago. Had to log a ticket with cPanel Support to get it fixed.

    At first they suggested un- and re-installing mod_security via the Plugins option in WHM. That didn't work, so I then received the following reply:

    Code:
    Hello,
    
    This should be working now.  For some reason the installer was not moving modsecparse.pl to /usr/local/cpanel/addons and adding the root cron to call this command every hour.  This script is what dumps the logs into the WHM Manager >> ModSecurity part.
    
    Please confirm how this is working for you.  Thank you.
    --
    Kyle Pinkley
    Technical Support
    cPanel
    This resolved the issue and it's been working ever since.

    I can confirm though ever since the upgrade to cPanel 11, this issue has been present!
     
  4. chae

    chae Well-Known Member

    Joined:
    Apr 19, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Auckland, New Zealand
    Ours all stopped working on version 10, even with the upgrade to 11 last week it still hasn't worked.

    # locate modsecparse.pl
    /usr/local/cpanel/modules-install/modsecurity-Linux-i686/modsecparse.pl
    /etc/cron.hourly/modsecparse.pl
    #

    Even if we call the script directly the logs never update !!! May have to get support to look into it
     
  5. Freezer

    Freezer Well-Known Member

    Joined:
    Jun 13, 2005
    Messages:
    120
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Den Haag
    Please submit a ticket about this to get it fixed.
     
  6. BlackRain

    BlackRain Well-Known Member

    Joined:
    May 28, 2003
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I can confirm that our Mod Security logs have also stopped updating in WHM. Mod security logs are viewable but don't show in WHM.

    Reinstalled Mod Security did not fix the problem. Currently running WHM 11.2.0 cPanel 11.8.0-C15921

    Confirmed modsecparse.pl does not appear in /usr/local/cpanel/addons
     
    #6 BlackRain, Aug 9, 2007
    Last edited: Aug 9, 2007
  7. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Well I guess I should chime in seeing how our's have stoped too ...... even tho LFD is working just fine no changes in the log files show up in WHM
     
  8. fenixer

    fenixer Well-Known Member

    Joined:
    Feb 23, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Just the same here......

    I can exec /etc/cron.hourly/modsecparse.pl with success and no errors....... but WHM modsec logs keeps frozen, so I realize the /etc/cron.hourly/modsecparse.pl is not doing nothing at all, although audit_log is correct and the privileges are also correct as well as the db config...

    Anyone reported a bug into bugzilla??? because we are several users with exactly the same problem...
     
  9. Danny_T

    Danny_T Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    181
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Netherlands
    We got that problem too.

    root@hyperion [~]# /etc/cron.hourly/modsecparse.pl
    root@hyperion [~]# /usr/local/cpanel/addons/modsecparse.pl
    DBI connect('modsec:localhost','modsec',...) failed: Access denied for user 'modsec'@'localhost' (using password: NO) at /usr/local/cpanel/addons/modsecparse.pl line 18
    root@hyperion [~]#
     
    #9 Danny_T, Aug 27, 2007
    Last edited: Aug 27, 2007
  10. fenixer

    fenixer Well-Known Member

    Joined:
    Feb 23, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Ok......... mmmmmmmmmmmm

    It seems like modsecparse.pl is doing well, since I go into phpmyadmin to check database MODSEC.........

    The logs there are quite updated.... the data is constantly introduced into Mysql db modsec....

    So the question is: ¿why WHM does not show the new data?

    I went to phpmyadmin again and just truncated the database keeping estructure.....

    I have done some 403 errors, and exec manually modsecparse.pl.......... now the data was imported into database and showed great at WHM...... so........

    ¿was the database corrupted or something similar? ¿is really the sollution truncating modsec database after the last updates of Cpanel?
     
  11. fenixer

    fenixer Well-Known Member

    Joined:
    Feb 23, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Well I guess finally the problem is located at the:
    https://myserver:2087/cgi/addon_modsec.cgi

    The cgi is quite awful, since is not showing the modsec database records in a logical order (the last one is the first you see, obviously)

    I thought the system was not running ok, but if I search for a new record (the last one) placed at modsec database, by example by IP, the WHM shows it to me....

    The modsecparse.pl is running ok (introducing new data at database modsec) and the database is also alright.... it seems like the problems are located at addon_modsec.cgi of WHM

    Can you confirm?
     
    #11 fenixer, Aug 27, 2007
    Last edited: Aug 27, 2007
  12. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    I can confirm that .. look at http://forums.cpanel.net/showthread.php?t=66756
     
  13. karlos

    karlos Member

    Joined:
    Oct 1, 2003
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    0
    Hello,

    I had the same problem and after submit a ticket seems like the problem is in

    /usr/local/cpanel/whostmgr/docroot/cgi/addon_modsec.cgi

    to fix the error remove the id field quotes in the query

    $querystmnt = q{1 ORDER BY 'id' DESC LIMIT 0,30};

    just like this

    $querystmnt = q{1 ORDER BY id DESC LIMIT 0,30};


    This work for me.

    Karlos
     
  14. chae

    chae Well-Known Member

    Joined:
    Apr 19, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Auckland, New Zealand
    Karlos...

    Thanks for that got mine working again :D
     
  15. S-Combs

    S-Combs Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Thank you karlos

    That fixed it for me also
     
  16. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    This is fixing mine too... thanks karlos :D
     
  17. bryanabhay

    bryanabhay Active Member

    Joined:
    Aug 14, 2006
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    Thank you very much Karlos it also helped me

    three cheears.
     
  18. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    thanx Karlos

    solves mine too.

    thanx Karlos

    how about having thread title starting with [SOLVED]
    it will help other people looking for it. :D

    mohit
     
  19. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    fixed, cpanel should correct the ' ' comma issue in the next updates for addon_modsec.cgi
     
  20. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    Fixed here too :) thanks
     
Loading...

Share This Page