The file was not updated since Nov. 23, I see that it has been updated todays, thanks!Although I can't reproduce your issue, the VERSION file for the real time rules is update to date (see below), can you tell me how you are getting this error?
Check if the following files are created inside "msa" directory, if not create them:one of the rulesets on a specific domain all the time return me this
Failed to write to DBM file "/var/asl/data/msa/global": Invalid argument
on ModSecurity Log Entries ruleset is unknown
are there any suggestions how to investigate further which ruleset returns this?
Try to create a new file, just called "global" and check if that fix the error.thanks inside on /msa i already have this
SESSION.dir 0 02-Dec-2011 10:08:13 nobody(99)/nobody(99) 640
SESSION.pag 0 02-Dec-2011 10:08:13 nobody(99)/nobody(99) 640
USER.dir 0 02-Dec-2011 10:18:19 nobody(99)/nobody(99) 640
USER.pag 0 02-Dec-2011 10:18:19 nobody(99)/nobody(99) 640 move
default_SESSION.dir 4.0k 02-Dec-2011 11:22:54 nobody(99)/nobody(99) 640
default_SESSION.pag 333.0k 02-Dec-2011 11:23:13 nobody(99)/nobody(99) 640
global.dir 0 27-Sep-2011 22:37:26 nobody(99)/nobody(99) 640
global.pag 1.0k 03-Dec-2011 17:01:49 nobody(99)/nobody(99) 640
ip.dir 4.0k 02-Dec-2011 11:22:07 nobody(99)/nobody(99) 640
ip.pag 540.0k 02-Dec-2011 12:24:47 nobody(99)/nobody(99) 640
Today has the same error:Although I can't reproduce your issue, the VERSION file for the real time rules is update to date (see below), can you tell me how you are getting this error?
Hello Michael,Which directory are you referring to, the real time or the delayed?
If the delayed, thats correct. The VERSION variable always shows the current real time version. asl-lite uses that variable to report that the system is using out of date rules when the user is only using the delayed feed.
If I misunderstood and you mean the real time directory, I'm not able to reproduce what you are reporting with asl-lite, its correctly reading the VERSION and downloading the latest real time rules. Thats how it knows which real time file to download. If you see something different with asl-lite have you reported this issue to support?
Or did I totally misunderstand your issue?
Thank you for fixing the file, next time I will do what you say.I'm still not sure what you are seeing, the variable looks fine to me, perhaps you are caching something?
-rw-r--r-- 1 foo bar 293947 Dec 27 13:16 modsec-201112271316.tar.gz
-rw-r--r-- 1 foo bar 235 Dec 27 13:16 VERSION
[[email protected] rules]$ cat VERSION
Also, if you have any issues with our product please contact support or post on our forums. We certainly don't want to miss a request for assistance, and as busy as we are these days its not that often we get around to the other forums, so posting here isn't likely to get a response as quickly as just contacting us for support. Afterall, you're paying for the support so why not use it!
Sergio,These directories will not be used for saving any data at all, they only are used because some of the rules checks for them.
That directories will retain your data depending on what you have declared on your modsec2.user.conf command: SecAuditLogPartsSergio,
You mentioned that these directories are not used, but that the rules simply check to make sure they exist. This isn't true. My /var/ partition ran out of disk space because inside the /var/asl/data/audit/ folder were tons of files (over 19GB) of log entries. I had to delete them to get disk space back. So they are apparently used somehow by ModSec.
Any idea if these log files are needed and should be just delete them daily or weekly?
then your server will not retain any logs in that directories.SecAuditLogParts ABIFHZ
I do have that line in my modsec2.user.conf file...That directories will retain your data depending on what you have declared on your modsec2.user.conf command: SecAuditLogParts
If you set it to:
then your server will not retain any logs in that directories.
On the other hand, if you use CSF the info in that directories are not needed and can be deleted as CSF, LFD and CMC gather the info from /usr/local/apache/logs. If you use something different as CSF then you need to check what do you need.
Ok, I see in your modsec2.user.conf that you have this command line:I do have that line in my modsec2.user.conf file...
In fact, here's my entire modsec2.user.conf file...
SecResponseBodyMimeType (null) text/html text/plain text/xml
# ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
So, with the SecAuditLogParts already set to ABIFHZ, why are those directories still filling up?
Sorry, didn't work. I did rem that line out and restarted apache, and cleared out the /var/asl/data/audit directory again. A few seconds later, I saw this: