When I have cwaf plugin set to serial, hits are properly loaded into the WHM ModSecurity Hits List. However, when the cwaf plugin is set to concurrent (recommended), the hits are not seen on the WHM ModSec Hits List. The hits are still recorded into the /usr/local/apache/logs/modsec_audit.log and into the /usr/local/apache/logs/nobody folder. I’m not sure what to have in the Audit Log Storage field for log directory. The default /usr/local/apache/logs/modsec_audit makes no sense to me as the main log file is not in that directory, in fact, that directory doesn’t exist. If I put the nobody folder into the Audit Log Storage filed in the plugin, the hits are still not seen in WHM ModSec Hits List. My understanding is that WHM Modsec can parse concurrent modsec log files. How can I get the cwaf plugin parameters to use concurrent and log to the WHM Hits List, as modsec serial method is deprecated?
We reproduced this issue, logs are written to /usr/local/apache/logs/nobody, but are not visible in ModSecurity™ Tools - Hits list.
So, we suppose it’s possible only if modsec_audit.log is serial.
May be cPanel development team could resolve this issue.