ModSecurity: collections_remove_stale failed

[MACscr]

Any suggestions for resolving this issue with mod_security and appearing in the apache error_log?

ModSecurity: collections_remove_stale: Failed deleting collection .......

My ip.pag is about 250MB and it appears that IP's that are supposed to be blocked are not being blocked. Getting a bit frustrating. This ip.pag file sure seems to be collecting more IP's per second than apache is saying its serving per second as well. whats up with that?

 

[quizknows]

You can always try clearing it out yourself, simply delete ip.dir and ip.pag and restart apache. The files should recreate themselves as soon as rules are processed. Check your permissions on /tmp and /var/cpanel/secdatadir, /tmp should be 1777 and /var/cpanel/secdatadir should be 1770

Out of curiosity do you happen to be using RUID2?

 

[MACscr]

No I am not, i am using suphp. I have deleted them and it does appear to have helped. Should we be using logrotate or something like that to maintain these files? If there is a logrotate conf for them, can someone share it with me?

 

[quizknows]

I have never had to use logrotate for the files. If you're on a very busy server you could lower the collection timeout to try to help;

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#seccollectiontimeout

Default is 3600 seconds, so to lower it (so the collections are storing less at a time), set something like this in your modsec2.user.conf or other includes file:

SecCollectionTimeout 1800

 

[cPanelMichael]

Hello

Feel free to update this thread and let us know if lowering the "SecCollectionTimeout" value addressed the issue.

Thank you.

 

[MACscr]

nope. even set it as low as 600.

 

[MACscr]

Still happening. Super frustrating. I dont know of anyone using any type of pruning process for theirs either. Im not sure what i could be doing differently than others.

 

[cPanelMichael]

Hello

Internal case number FB-188769 is open to determine if rotation for /var/cpanel/secdatadir/ip.pag is a viable option. You may want to utilize the following utility offered by Mod_Security in the meantime:

https://github.com/SpiderLabs/modsec-sdbm-util

Thank you.