ModSecurity audit log size growing continously

stormy

• January 26, 2015 11:11

With cPanel 11.46 and the new ModSecurity tools, modsecparse.pl became deprecated. However, this means that the modsecurity audit log is now growing forever: /usr/local/apache/logs/modsec_audit.log Mine is 1.5G already, and it starts in November. How can I fix this?

• 

  quizknows

  • January 26, 2015 18:19

  For now, if you don't need the data, you can easily truncate the file from a shell. Simply: cat /dev/null > /usr/local/apache/logs/modsec_audit.log This will erase the file but leave it in place for new entries.

  0
• 

  XxUnkn0wnxX

  • January 26, 2015 19:54

  or you can go to Cpanel/WHM then mod security config and set the "Only log noteworthy transactions." to on or you can completely disable it from there if you wish.. mine was growing so fast because i had it set to log everything including the http 200 OK messages..

  0
• 

  kdean

  • January 27, 2015 04:24

  I just added a "modsec" document to /etc/logrotate.d/ to set it like the other apache logs. Be sure to customize as needed. "modsec" contents:
  /usr/local/apache/logs/modsec_audit.log { weekly size 25M rotate 14 compress missingok notifempty sharedscripts olddir archive postrotate /scripts/restartsrv_apache > /dev/null 2>/dev/null || true endscript }
  

  0
• 

  cPanelMichael

  • January 27, 2015 14:01

  Hello :) Please also vote and add your feedback to the existing feature request for this at: [url=http://features.cpanel.net/responses/add-log-rotation-for-mod-security-logs]Add log rotation for mod_security logs | cPanel Feature Requests Thank you.

  0
• 

  stormy

  • January 28, 2015 14:32

  Adding my vote, although it arguably takes more time to read the feature request than to actually implement the script in cPanel! :)

  0
• 

  manokiss

  • July 29, 2015 19:29

  Over 11.50 - build 29 and there is no rotation for this yet :-(

  0
• 

  cPanelMichael

  • August 12, 2015 17:00

  New Over 11.50 - build 29 and there is no rotation for this yet :-(

  
  Per the update to the feature request: In cPanel & WHM version 11.50 we are adding a logrotate configuration for the main mod_security audit log. In addition we updated our log rotation daemon, cpanellogd, to handle the per user log files when using mod_ruid2.
  You will see this configured in the following file:
  /usr/local/cpanel/etc/logrotate.d/modsecurity_logs
  Thank you.

  0
• 

  manokiss

  • August 18, 2015 03:10

  Thanx! Any reason yo udid not add this in the WHM log rotation section or apache log rotation section?

  0
• 

  cPanelMichael

  • August 18, 2015 14:55

  New Thanx! Any reason yo udid not add this in the WHM log rotation section or apache log rotation section?

  
  Mod Edit: A feature request is no longer required. This is addressed at:

  0
• 

  quizknows

  • August 18, 2015 19:06

  I can think of plenty of reasons people would want to keep modsec audit log data. It's incredibly valuable for investigating security incidents or generating attack statistics. While the vast majority of users would probably want it rotated, I see no reason why it should not be added to "Home > Service Configuration > Apache Configuration > Log Rotation" seeing as the modsec debug log is already there anyway.

  0
• 

  cPanelMichael

  • August 28, 2015 14:38

  Hello :) I've opened internal case CPANEL-1277 to add a corresponding entry in "WHM Home " Service Configuration " Apache Configuration " Log Rotation" for the /usr/local/apache/logs/modsec_audit.log file. You can monitor our change log for the inclusion of this case number:

  0
• 

  quizknows

  • August 28, 2015 18:16

  Thank you Michael, much appreciated.

  0

Please sign in to leave a comment.