Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Logs Are Getting Huge With Logging Off

Discussion in 'Security' started by linux4me2, Jun 29, 2017.

  1. linux4me2

    linux4me2 Well-Known Member

    Aug 21, 2015
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    For the past month or so, I have watched as the amount of remaining disk space on the server has quickly decreased. I tracked it down to huge ModSecurity log files in /home/username/logs of the format:
    There were three files in each account, one for April, May, and June. Most of them were hundreds of megabytes in size, and some on the busier sites were over a gigabyte.

    I found this post, but the OP never responded, so it wasn't clear what the resolution is.

    Yesterday, as a test, I set the Audit Log Level to "Do not log any transactions" and deleted the log files to reclaim the space. The ModSecurity Tools Hits list is not populated once I turn off the Audit Log.

    This morning, the log files are back, created at 0514, and are already megabytes in size.

    Here is the output of the files requested in the above post:
    I am running the Comodo WAF vendor (not the plugin) and modruid2.

    How can I prevent the ModSecurity logs from filling up my disk space?
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    Internal case CPANEL-13602 is open to address an issue where the previous month's ModSecurity logs are not removed from the account's "/home/$username/logs" directory on systems with Mod_Ruid2 enabled. This happens despite enabling the "Remove the previous month's archived logs from the user's home directory at the end of each month unless configured by the user" option in "WHM >> Tweak Settings".

    I'll monitor this case and update this thread with the outcome. In the meantime, the workaround is to manually remove the logs.

    Thank you.
    linux4me2 likes this.

Share This Page