ModSecurity audit log size growing continously

stormy

Well-Known Member
Nov 22, 2003
164
14
168
Spain
cPanel Access Level
Root Administrator
With cPanel 11.46 and the new ModSecurity tools, modsecparse.pl became deprecated.

However, this means that the modsecurity audit log is now growing forever:
/usr/local/apache/logs/modsec_audit.log

Mine is 1.5G already, and it starts in November.

How can I fix this?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
For now, if you don't need the data, you can easily truncate the file from a shell. Simply:

cat /dev/null > /usr/local/apache/logs/modsec_audit.log

This will erase the file but leave it in place for new entries.
 

XxUnkn0wnxX

Member
Feb 3, 2014
22
0
1
cPanel Access Level
Website Owner
or you can go to Cpanel/WHM then mod security config and set the "Only log noteworthy transactions." to on

or you can completely disable it from there if you wish..

mine was growing so fast because i had it set to log everything including the http 200 OK messages..
 

kdean

Well-Known Member
Oct 19, 2012
377
65
78
Orlando, FL
cPanel Access Level
Root Administrator
I just added a "modsec" document to /etc/logrotate.d/ to set it like the other apache logs.

Be sure to customize as needed.

"modsec" contents:
Code:
/usr/local/apache/logs/modsec_audit.log {
    weekly
    size 25M
    rotate 14
    compress
    missingok
    notifempty
    sharedscripts
    olddir archive
    postrotate
         /scripts/restartsrv_apache > /dev/null 2>/dev/null || true
    endscript
}
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
New Over 11.50 - build 29 and there is no rotation for this yet :-(
Per the update to the feature request:

In cPanel & WHM version 11.50 we are adding a logrotate configuration for the main mod_security audit log. In addition we updated our log rotation daemon, cpanellogd, to handle the per user log files when using mod_ruid2.
You will see this configured in the following file:

Code:
/usr/local/cpanel/etc/logrotate.d/modsecurity_logs
Thank you.
 

manokiss

Well-Known Member
Mar 31, 2002
576
1
318
Thanx! Any reason yo udid not add this in the WHM log rotation section or apache log rotation section?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I can think of plenty of reasons people would want to keep modsec audit log data. It's incredibly valuable for investigating security incidents or generating attack statistics. While the vast majority of users would probably want it rotated, I see no reason why it should not be added to "Home > Service Configuration > Apache Configuration > Log Rotation" seeing as the modsec debug log is already there anyway.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello :)

I've opened internal case CPANEL-1277 to add a corresponding entry in "WHM Home » Service Configuration » Apache Configuration » Log Rotation" for the /usr/local/apache/logs/modsec_audit.log file. You can monitor our change log for the inclusion of this case number:

cPanel - Change Logs

Thank you.