Mod Security Hit List is empty and Internal error in modsec log

postcd

• April 30, 2016 04:15

Hello, i see at WHM " Security Center " ModSecurity" Tools " Hits List it is empty where usually i had hits there. The Rules List contains active and published rules tail of modsec_audit.log: --5ef10746-F-- HTTP/1.1 401 Authorization Required Vary: Accept-Encoding Content-Length: 17 Connection: close Content-Type: text/html; charset=iso-8859-1 --5ef10746-H-- Message: collections_remove_stale: Failed deleting collection (name "ip", key "SOMEIPHERE"): Internal error Action: Intercepted (phase 2) Apache-Handler: application/x-httpd-php5 Stopwatch: 1461182672103655 8622 (- - -) Stopwatch2: 1461182672103655 8622; combined=11424, p1=62, p2=29, p3=0, p4=0, p5=5667, sr=35, sw=0, l=0, gc=5666 Producer: ModSecurity for Apache/2.9.0 (ModSecurity: Open Source Web Application Firewall). Server: Apache Engine-Mode: "ENABLED" --5ef10746-Z--
Please which Linux commands or what to do to discover cause & fix?

• 

  cPanelMichael

  • May 09, 2016 16:13

  Hello, Would you mind opening a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you.

  0
• 

  postcd

  • May 10, 2016 12:07

  Thx for an advice, i submitted ticket and this is the final reply by the cpanel staff: After continued research, I found that your custom configuration relocated the ModSecAuditLog. I created a backup of your existing configuration, and made the following changes as shown: ==== [11:26:22 host1 root@7542771 /usr/local/apache/conf]cPs# cp -av modsec2.user.conf{,.7542771.bak} `modsec2.user.conf' -> `modsec2.user.conf.7542771.bak' [11:35:38 host1 root@7542771 /usr/local/apache/conf]cPs# diff modsec2.user.conf.7542771.bak modsec2.user.conf 51,52c51,53 < SecAuditLogType Serial < SecAuditLog logs/mod_security.log --- > #SecAuditLogType Serial > #SecAuditLog logs/mod_security.log > SecAuditLog /usr/local/apache/logs/modsec_audit.log 55c56 < SecDataDir logs/mod_security-data --- > #SecDataDir logs/mod_security-data ==== After doing so, you'll notice your Hits List is now being populated. ---- so it appears issue is solved

  0
• 

  cPanelMichael

  • May 10, 2016 14:18

  I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.

  0

Please sign in to leave a comment.