need help, No entries found in /usr/local/apache/logs/modsec_audit.log

[sean2045]

Hi guys,

I followed this info to configure mod security

Configuring cPanel ModSecurity with Atomic ModSecurity Rules | UKHost4u Blog

However, after a few hours, I didn't get any log entries, I double checked everything, I couldn't find what was the problem.

does anyone know how to fix it?

Thank you

Sean

 

[voshka]

Hi, sean2045

Please provide me what you have configured in
/usr/local/apache/conf/modsec2.user.conf

Thanks

 

[cPanelTristan]

Can you also please check the following log for entries:

tail -500 /usr/local/apache/logs/modsec_debug_log

If mod_security isn't working, you'll probably see errors in that log file.

 

[borgia]

Did you test if is running?

apachectl -t -D DUMP_MODULES

...and check if "security2_module" is on the list. After if is loaded test in browser with a directive and check logs.


Regards

 

[sean2045]

Thank you guys

Hi, sean2045

Please provide me what you have configured in
/usr/local/apache/conf/modsec2.user.conf

Thanks

this is what i have in /usr/local/apache/conf/modsec2.user.conf

# ConfigServer ModSecurity whitelist file
Include /usr/local/apache/conf/modsec2.whitelist.conf

SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 220621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyLimit 220621440
SecRequestBodyInMemoryLimit 220621440
LimitRequestBody 0
LimitRequestBody 25097152
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
# ConfigServer ModSecurity whitelist file
Include /usr/local/apache/conf/modsec2.whitelist.conf
# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf


there is nothing in tail -500 /usr/local/apache/logs/modsec_debug_log,


after i run apachectl -t -D DUMP_MODULES


core_module (static)
authn_file_module (static)
authn_default_module (static)
authz_host_module (static)
authz_groupfile_module (static)
authz_user_module (static)
authz_default_module (static)
auth_basic_module (static)
include_module (static)
filter_module (static)
log_config_module (static)
logio_module (static)
env_module (static)
expires_module (static)
headers_module (static)
unique_id_module (static)
setenvif_module (static)
version_module (static)
proxy_module (static)
proxy_connect_module (static)
proxy_ftp_module (static)
proxy_http_module (static)
proxy_scgi_module (static)
proxy_ajp_module (static)
proxy_balancer_module (static)
ssl_module (static)
mpm_prefork_module (static)
http_module (static)
mime_module (static)
status_module (static)
autoindex_module (static)
asis_module (static)
info_module (static)
suexec_module (static)
cgi_module (static)
negotiation_module (static)
dir_module (static)
actions_module (static)
userdir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
bwlimited_module (shared)
suphp_module (shared)
security2_module (shared)
Syntax OK




it has this security2_module (shared), so it's running? what else is wrong?

modsecparse.pl is disabled.

Thanks

Sean

 

[borgia]

Do you have those lines:

SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log

in modsec2.conf ?

regards

 

[sean2045]

Do you have those lines:

in modsec2.conf ?

regards

this is what i have in modsec2.conf

LoadFile /opt/xml2/lib/libxml2.so
# LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>

 

[voshka]

Your configuration seems to be fine

go to this directory

/var/asl/data/audit

do you see any thing loged and also being updated?

also use
tail -f /usr/local/apache/logs/modsec_audit.log

do you see any updates to that file?

the last thing also is that have you restart the Apache after installing the Rule Sets

 

[sean2045]

Your configuration seems to be fine

go to this directory

/var/asl/data/audit

do you see any thing loged and also being updated?

also use
tail -f /usr/local/apache/logs/modsec_audit.log

do you see any updates to that file?

the last thing also is that have you restart the Apache after installing the Rule Sets

there are nothing in /var/asl/data/audit and /usr/local/apache/logs/modsec_audit.log, i restarted apache and reboot my server, it still nothing shows on any those logs.

 

[sean2045]

from /usr/local/apache/logs/error_log


[Sun Jul 15 19:15:00 2012] [notice] Graceful restart requested, doing restart
[Sun Jul 15 19:15:01 2012] [notice] SSL FIPS mode disabled
[Sun Jul 15 19:15:01 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 Apache configured -- resuming normal operations
[Sun Jul 15 20:27:52 2012] [notice] Graceful restart requested, doing restart
[Sun Jul 15 20:27:53 2012] [notice] SSL FIPS mode disabled
[Sun Jul 15 20:27:53 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 Apache configured -- resuming normal operations
[Sun Jul 15 20:52:49 2012] [notice] caught SIGTERM, shutting down
[Sun Jul 15 20:52:52 2012] [notice] SSL FIPS mode disabled
[Sun Jul 15 20:52:52 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Sun Jul 15 20:52:52 2012] [notice] ModSecurity for Apache/2.6.5 (ModSecurity: Open Source Web Application Firewall) configured.
[Sun Jul 15 20:52:52 2012] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[Sun Jul 15 20:52:52 2012] [notice] ModSecurity: PCRE compiled version="8.21"; loaded version="8.21 2011-12-12"
[Sun Jul 15 20:52:52 2012] [notice] ModSecurity: LIBXML compiled version="2.7.8"
[Sun Jul 15 20:52:52 2012] [notice] Original server signature: Apache
[Sun Jul 15 20:52:53 2012] [notice] SSL FIPS mode disabled
[Sun Jul 15 20:52:53 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 Apache configured -- resuming normal operations
[Sun Jul 15 20:53:23 2012] [notice] caught SIGTERM, shutting down
[Sun Jul 15 20:53:32 2012] [notice] SSL FIPS mode disabled
[Sun Jul 15 20:53:32 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Sun Jul 15 20:53:32 2012] [notice] ModSecurity for Apache/2.6.5 (ModSecurity: Open Source Web Application Firewall) configured.
[Sun Jul 15 20:53:32 2012] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[Sun Jul 15 20:53:32 2012] [notice] ModSecurity: PCRE compiled version="8.21"; loaded version="8.21 2011-12-12"
[Sun Jul 15 20:53:32 2012] [notice] ModSecurity: LIBXML compiled version="2.7.8"
[Sun Jul 15 20:53:32 2012] [notice] Original server signature: Apache
[Sun Jul 15 20:53:33 2012] [notice] SSL FIPS mode disabled
[Sun Jul 15 20:53:33 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 Apache configured -- resuming normal operations

looks like mod_security is running, what could be wrong?

 

[sean2045]

I have a question, since the audit log path is this /usr/local/apache/logs/modsec_audit.log

so where can i find what define this path /usr/local/apache/logs/modsec_audit.log?

after I recheck the configuration Configuring cPanel ModSecurity with Atomic ModSecurity Rules | UKHost4u Blog

Only this last part /usr/local/apache/conf/modsec2.user.conf, add those

SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 220621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyLimit 220621440
SecRequestBodyInMemoryLimit 220621440
LimitRequestBody 0
LimitRequestBody 25097152
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
# ConfigServer ModSecurity whitelist file
Include /usr/local/apache/conf/modsec2.whitelist.conf
# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

to connect the rules to mod_security.

 

[sean2045]

After I submitted a ticket, the problem was solved,

so for anyone who has the the problems

in in modsec2.conf

LoadFile /opt/xml2/lib/libxml2.so
# LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See ModSecurity: Open Source Web Application Firewall
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>

change SecAuditEngine RelevantOnly to SecAuditEngine On


Sean

 

[borgia]

I am not using "SecAuditEngine On" and everything "RelevantOnly" is logged. The problem with you is that you didn't have events "RelevantOnly" to be logged at that time.


regards