The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity audit log size growing continously

Discussion in 'Security' started by stormy, Jan 26, 2015.

  1. stormy

    stormy Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    108
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    With cPanel 11.46 and the new ModSecurity tools, modsecparse.pl became deprecated.

    However, this means that the modsecurity audit log is now growing forever:
    /usr/local/apache/logs/modsec_audit.log

    Mine is 1.5G already, and it starts in November.

    How can I fix this?
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    For now, if you don't need the data, you can easily truncate the file from a shell. Simply:

    cat /dev/null > /usr/local/apache/logs/modsec_audit.log

    This will erase the file but leave it in place for new entries.
     
  3. XxUnkn0wnxX

    XxUnkn0wnxX Member

    Joined:
    Feb 3, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    or you can go to Cpanel/WHM then mod security config and set the "Only log noteworthy transactions." to on

    or you can completely disable it from there if you wish..

    mine was growing so fast because i had it set to log everything including the http 200 OK messages..
     
  4. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    I just added a "modsec" document to /etc/logrotate.d/ to set it like the other apache logs.

    Be sure to customize as needed.

    "modsec" contents:
    Code:
    /usr/local/apache/logs/modsec_audit.log {
        weekly
        size 25M
        rotate 14
        compress
        missingok
        notifempty
        sharedscripts
        olddir archive
        postrotate
             /scripts/restartsrv_apache > /dev/null 2>/dev/null || true
        endscript
    }
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. stormy

    stormy Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    108
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Adding my vote, although it arguably takes more time to read the feature request than to actually implement the script in cPanel! :)
     
  7. manokiss

    manokiss Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    571
    Likes Received:
    0
    Trophy Points:
    16
    Over 11.50 - build 29 and there is no rotation for this yet :-(
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Per the update to the feature request:

    You will see this configured in the following file:

    Code:
    /usr/local/cpanel/etc/logrotate.d/modsecurity_logs
    Thank you.
     
  9. manokiss

    manokiss Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    571
    Likes Received:
    0
    Trophy Points:
    16
    Thanx! Any reason yo udid not add this in the WHM log rotation section or apache log rotation section?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I can think of plenty of reasons people would want to keep modsec audit log data. It's incredibly valuable for investigating security incidents or generating attack statistics. While the vast majority of users would probably want it rotated, I see no reason why it should not be added to "Home > Service Configuration > Apache Configuration > Log Rotation" seeing as the modsec debug log is already there anyway.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I've opened internal case CPANEL-1277 to add a corresponding entry in "WHM Home » Service Configuration » Apache Configuration » Log Rotation" for the /usr/local/apache/logs/modsec_audit.log file. You can monitor our change log for the inclusion of this case number:

    cPanel - Change Logs

    Thank you.
     
  13. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Thank you Michael, much appreciated.
     
Loading...

Share This Page