The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity logging

Discussion in 'Security' started by Overflow, Nov 12, 2014.

  1. Overflow

    Overflow Registered

    Joined:
    Nov 2, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    I installed the basic OWASP rules for ModSecurity, but now my logs in ModSecurity Tools are becoming really big, really fast.

    I tried, for many hours, to find the configuration to disable the log of non-critical rules, like a missing Accept Header (like the one used by PingDom), but it does not work.

    What I tried:
    1. Changing the Audit Log Level to Only log noteworthy transactions
    2. Adding SecAuditLogRelevantStatus (using many different prefixes)
    3. And plenty little steps that didn't work

    I am currently using the "Anomaly" rules, and it works great. I understand the logs are using MySQL, but I cannot find where this setting is enabled.

    I guess I am missing something.

    Thank you for your help
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    the MySQL stuff is pulled by cPanel from the modsec audit log. Audit log data is more verbose than what gets dumped into the apache error log (although, the way cPanel processes it you lose a lot of the useful stuff like POST data from the audit log). In short, log and auditlog are two different things; basic log info goes to the apache error log, verbose info to the modsec audit log.

    If you really don't want particular rules to log to either, you can add a "nolog" action to the rules themselves, like this:

    SecRule REQUEST_HEADERS:User-Agent "Test" "deny,nolog,id:121"

    Honestly though, it's typically worth keeping the logs and audit logs around, they're just text, it really doesn't take up that much disk space. You could also use "noauditlog" instead of "nolog" to keep the basic data in the apache error log, but it won't show up in WHM since that pulls from audit log afaik.
     
    #2 quizknows, Nov 12, 2014
    Last edited: Nov 12, 2014
  3. Overflow

    Overflow Registered

    Joined:
    Nov 2, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I finally added the nolog and noauditlog to the rules I don't wanted

    Thank you
     
Loading...

Share This Page