ConfigServer Modsecurity Control

designcentre · August 20, 2014, 7:48pm

Is it just me or has ConfigServer stopped reading the logs on /usr/local/apache/logs/modsec_audit/ ?
Prior to the last WAF upgrade I use to be able to see the logs in that interface but it now longer works…has Comodo WAF interfered with that or is it a ConfigServer problem ?

Anyone else noticed this ?

ozsup · August 21, 2014, 9:13am

Check your modsec2.conf file, the update has wiped the following:

Include “/usr/local/apache/conf/modsec2.whitelist.conf”

Just add that to the bottom and restart.

Request for admin: When ModSec updates are made via Comodo’s cPanel plugin, can you please retain any settings or custom modifications to the modsec2.conf file? it’s quite annoying that these always disappear when an update is made, have to re-add them on every server again.

designcentre · August 21, 2014, 8:14pm

Unfortunately that didn’t resolve my problem…

ConfigServer ModSecurity Control - cmc v1.14
Displaying logs from /usr/local/apache/logs/modsec_audit/
No entries found in /usr/local/apache/logs/modsec_audit.log

Yet if I go to the actual log file itself “/usr/local/apache/logs/modsec_audit.log” it’s been written to as expected

mindlash · September 8, 2014, 5:08pm

I can confirm the same. Log file is growing, but not being seen/reported in WHM.

mindlash · September 8, 2014, 5:31pm

Not trying to hijack your thread:

Also, not sure if this is the same for you @designcentre but my traditional ‘Mod Security’ plugin is not showing any activity either. I’ve also run the rotator script to see if that would kick things into gear.

Here: /etc/cron.hourly/modsecparse.pl

Additionally:

mysql> show tables;
±-----------------+
| Tables_in_modsec |
±-----------------+
| modsec |
±-----------------+
1 row in set (0.00 sec)

mysql> SELECT * FROM modsec;

Empty set (0.00 sec)

mindlash · September 8, 2014, 5:59pm

Ok, so… not sure how this happened, but in my /usr/local/apache/conf/modsec2.user.conf the following rules were set incorrectly to what is needed apparently

Previous:
SecDataDir /tmp
SecAuditLogStorageDir /tmp/modseclogs

Current (Working):
SecDataDir /usr/local/apache/logs/modsec_audit
SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit

I created both the modsec_audit (and the nobody folder inside it) then owned it to nobody with

chown -R nobody.nobody /usr/local/apache/logs/modsec_audit

Restarted apache and logging is all sorted out now.

I even ran the log script : /etc/cron.hourly/modsecparse.pl

Which properly placed everything into the DB.

Hope this helps.