Piped logging delays real time security features?
Hello, from a very proficient and knowledgeable Cpanel tech support technician I received the following snippet of text regarding absence of 404 and other apache error codes in log files:
With buffered file writing enabled, the splitlogs binary writes to individual log files faster, but requires more memory for each open log file. In addition to this, the requests that are buffered to be written to the access logs are not instantaneously written, but instead, are kept in memory until the buffers are flushed. This usually means that the log will be written to once Apache experiences enough traffic, and the entries will still have accurate time-stamps.
It would seem to me if writing to apache logs is delayed for any reason this would affect the ability for responsive defenses like mod_sec, iptables that examine logs and other proactive defenses to respond in real time to threats. It's my understanding that the default is to delay writing.
What am I not understanding here? It seems counter-intuitive to delay log writing when security depends on it, so I must be missing some part of the puzzle. thanks.
-
Anybody? 0 -
The delay does not affect ModSecurity, and I don't understand how it could affect iptables. It does affect some CSF/LFD features if you are using it. 0 -
Thank you @quiteFinn. And indeed it is affecting CSF/LFD. However, I did place the following snippet of iptables code in iptables (inserted by csf/lfd when it starts iptables and confirmed that it is there) and this code is not working. So that leads me to believe something else is at play. iptables -A INPUT -p tcp --match multiport --dport 80,443 -m string --string 'wp-login" --algo bm -j DROP 0 -
Hello @jeffschips, Can you share the ticket number associated with the support request that you opened? Thank you. 0 -
13403293 and read down to the entry at September 23rd, 2019 at 01:06 PM. Thanks for the follow-up. 0
Please sign in to leave a comment.
Comments
5 comments