The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM ModSecurity Log

Discussion in 'Security' started by java_dude, Oct 23, 2011.

  1. java_dude

    java_dude Active Member

    Joined:
    Apr 23, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi guys! I recently installed the Gotroot ModSecurity ruleset on my server using the Atomicorp Wiki Tutorial. The installation went fine, and mod_security is blocking attacks as it should be. However, the WHM log hasn't been updated since I started using the Gotroot rules! The modsec_audit.log is being updated as normal, but WHM doesn't seem to be picking up on the new logging data... am I missing something? Any idea why WHM won't update its log entries now? Thanks!
     
  2. britsenigma

    britsenigma Well-Known Member

    Joined:
    Dec 14, 2008
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    I've noticed this error in logs/error_log under apache:
    ModSecurity: Audit log: Failed to create subdirectories: /usr/local/apache/logs/data/audit/20111228/20111228-2004 (Permission denied) [hostname "w
     
  3. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Java_dude,

    The GotRoot instructions have you place the following into your modsec2.user.conf:
    Code:
    SecAuditLogType Concurrent
    That setting causes all modsecurity events to be logged in a separate files in /var/asl/data/audit/*date*/*time*/. (note the *date* and *time* in that path are the date/time that the event occurred). The default for modsecurity is "SecAuditLogType Serial", which stores the logs in the main audit log. I believe this is the source of the issue. You could try commenting out that line in modsec2.user.conf and see if the WHM starts picking up the log again. Or perhaps the fine cPanel folk could explain a way of making WHM read the concurrent files?

    Britsenigma,

    If you recently installed the GotRoot/Atomic rules, you need to go back through the instructions and make sure you follow them exactly. If you did not recently install the GotRoot/Atomic rules, you could try setting SecAuditLogType to Serial as I specified above. If neither of those resolve your issue, you should start a new thread, as it is unrelated to the OP's issue.
     
  4. britsenigma

    britsenigma Well-Known Member

    Joined:
    Dec 14, 2008
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    I've managed to get both GotRoot and OWASP rules working side by side, but I'm not sure whether they will conflict at this time.

    OWASP .conf logs fine, GotRoot doesn't.
     
  5. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    Please see this article on the wiki:

    https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#modsecparse.pl

    Older tools, like modsecparse.pl, do not support the faster and less resource intensive concurrent logging method. I believe WHM still only supports the older slower method, so you will have to use Serial instead of Concurrent logging, or use a tool that supports the faster method.
     
Loading...

Share This Page