Piped logging delays real time security features?

jeffschips

Well-Known Member
Jun 5, 2016
204
21
68
new york
cPanel Access Level
Root Administrator
Hello, from a very proficient and knowledgeable Cpanel tech support technician I received the following snippet of text regarding absence of 404 and other apache error codes in log files:

With buffered file writing enabled, the splitlogs binary writes to individual log files faster, but requires more memory for each open log file. In addition to this, the requests that are buffered to be written to the access logs are not instantaneously written, but instead, are kept in memory until the buffers are flushed. This usually means that the log will be written to once Apache experiences enough traffic, and the entries will still have accurate time-stamps.

It would seem to me if writing to apache logs is delayed for any reason this would affect the ability for responsive defenses like mod_sec, iptables that examine logs and other proactive defenses to respond in real time to threats. It's my understanding that the default is to delay writing.

What am I not understanding here? It seems counter-intuitive to delay log writing when security depends on it, so I must be missing some part of the puzzle. thanks.
 
Last edited:

quietFinn

Well-Known Member
Feb 4, 2006
1,299
127
193
Finland
cPanel Access Level
Root Administrator
The delay does not affect ModSecurity, and I don't understand how it could affect iptables. It does affect some CSF/LFD features if you are using it.
 

jeffschips

Well-Known Member
Jun 5, 2016
204
21
68
new york
cPanel Access Level
Root Administrator
Thank you @quiteFinn. And indeed it is affecting CSF/LFD. However, I did place the following snippet of iptables code in iptables (inserted by csf/lfd when it starts iptables and confirmed that it is there) and this code is not working. So that leads me to believe something else is at play.

iptables -A INPUT -p tcp --match multiport --dport 80,443 -m string --string 'wp-login’ --algo bm -j DROP
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello @jeffschips,

Can you share the ticket number associated with the support request that you opened?

Thank you.