Is it just me or has ConfigServer stopped reading the logs on /usr/local/apache/logs/modsec_audit/ ?
Prior to the last WAF upgrade I use to be able to see the logs in that interface but it now longer works…has Comodo WAF interfered with that or is it a ConfigServer problem ?
Anyone else noticed this ?
Check your modsec2.conf file, the update has wiped the following:
Just add that to the bottom and restart.
Request for admin: When ModSec updates are made via Comodo’s cPanel plugin, can you please retain any settings or custom modifications to the modsec2.conf file? it’s quite annoying that these always disappear when an update is made, have to re-add them on every server again.
Unfortunately that didn’t resolve my problem…
ConfigServer ModSecurity Control - cmc v1.14
Displaying logs from /usr/local/apache/logs/modsec_audit/
No entries found in /usr/local/apache/logs/modsec_audit.log
Yet if I go to the actual log file itself “/usr/local/apache/logs/modsec_audit.log” it’s been written to as expected
I can confirm the same. Log file is growing, but not being seen/reported in WHM.
Not trying to hijack your thread:
Also, not sure if this is the same for you @designcentre but my traditional ‘Mod Security’ plugin is not showing any activity either. I’ve also run the rotator script to see if that would kick things into gear.
mysql> show tables;
| Tables_in_modsec |
| modsec |
1 row in set (0.00 sec)
mysql> SELECT * FROM modsec;
Empty set (0.00 sec)
Ok, so… not sure how this happened, but in my /usr/local/apache/conf/modsec2.user.conf the following rules were set incorrectly to what is needed apparently
I created both the modsec_audit (and the nobody folder inside it) then owned it to nobody with
chown -R nobody.nobody /usr/local/apache/logs/modsec_audit
Restarted apache and logging is all sorted out now.
I even ran the log script : /etc/cron.hourly/modsecparse.pl
Which properly placed everything into the DB.
Hope this helps.