ModSecurity

Hi all

Sometimes webserver does not respond anymore. Everytime when I check it, there 
is one mlogc process using 1 cpu by 100% and running forever. Apache is 
completely blocked. When I kill the process everything is working normal 
again. The last messages in the mlogc-error.log are these:

[Sat Feb 12 18:56:13 2011] [4] [23028/0] Queue locking thread mutex.
[Sat Feb 12 18:56:13 2011] [4] [23028/0] Worker creation started.
[Sat Feb 12 18:56:13 2011] [4] [23028/0] Destroying thread_pool.
[Sat Feb 12 18:56:15 2011] [5] [23028/6d7ee0] Management thread: Processing
[Sat Feb 12 18:56:15 2011] [4] [23028/6d7ee0] Management thread: Creating 
worker thread to catch up with the queue.
[Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation locking thread mutex.
[Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation waiting on thread 
mutex.

This seems to be the known problem:  
http://comments.gmane.org/gmane.comp.apache.mod-security.user/7560

but i could not find solution. 
Short description of my system:

mlogc -v
ModSecurity Log Collector (mlogc) v2.5.13
   APR: compiled="1.3.8"; loaded="1.3.8"
  PCRE: compiled="7.8"; loaded="7.8 2008-09-05"
  cURL: compiled="7.19.7"; loaded="libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 
libidn/1.15"

System:         ubuntu 10.04.2 lts x64
Apache:         2.2.14
Modsecurity:    2.5.13
Auditconsole:   0.4.2


if you experienced the same how did you solve it?

Best Regards
George Kobiashvili

Hello George,

I had the same problem but could not find a solution. We had to abandon
mlogc until it gets more stable.

Regards,

Lucas

On Mon, Feb 28, 2011 at 15:39, George Kobiashvili
<gkobiashvili@...:

> Hi all
>
> Sometimes webserver does not respond anymore. Everytime when I check it,
> there
> is one mlogc process using 1 cpu by 100% and running forever. Apache is
> completely blocked. When I kill the process everything is working normal
> again. The last messages in the mlogc-error.log are these:
>
> [Sat Feb 12 18:56:13 2011] [4] [23028/0] Queue locking thread mutex.
> [Sat Feb 12 18:56:13 2011] [4] [23028/0] Worker creation started.
> [Sat Feb 12 18:56:13 2011] [4] [23028/0] Destroying thread_pool.
> [Sat Feb 12 18:56:15 2011] [5] [23028/6d7ee0] Management thread: Processing
> [Sat Feb 12 18:56:15 2011] [4] [23028/6d7ee0] Management thread: Creating
> worker thread to catch up with the queue.
> [Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation locking thread
> mutex.
> [Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation waiting on thread
> mutex.
>
> This seems to be the known problem:
> http://comments.gmane.org/gmane.comp.apache.mod-security.user/7560
>
> but i could not find solution.
> Short description of my system:
>
> mlogc -v
> ModSecurity Log Collector (mlogc) v2.5.13
>   APR: compiled="1.3.8"; loaded="1.3.8"
>  PCRE: compiled="7.8"; loaded="7.8 2008-09-05"
>  cURL: compiled="7.19.7"; loaded="libcurl/7.19.7 OpenSSL/0.9.8k zlib/
> 1.2.3.3
> libidn/1.15"
>
> System:         ubuntu 10.04.2 lts x64
> Apache:         2.2.14
> Modsecurity:    2.5.13
> Auditconsole:   0.4.2
>
>
> if you experienced the same how did you solve it?
>
> Best Regards
> George Kobiashvili
>
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT
> data
> generated by your applications, servers and devices whether physical,
> virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>



-- 
Homo sapiens non urinat in ventum.

Hello Srs,

Yes, this is an old and known bug. I still didn't have time to move in
directions of some of them. However i hope to look it soon.

thanks

Breno

On Mon, Feb 28, 2011 at 1:41 PM, Lucas Ferreira <listas@...> wrote:

> Hello George,
>
> I had the same problem but could not find a solution. We had to abandon
> mlogc until it gets more stable.
>
> Regards,
>
> Lucas
>
>
> On Mon, Feb 28, 2011 at 15:39, George Kobiashvili <
> gkobiashvili@...> wrote:
>
>> Hi all
>>
>> Sometimes webserver does not respond anymore. Everytime when I check it,
>> there
>> is one mlogc process using 1 cpu by 100% and running forever. Apache is
>> completely blocked. When I kill the process everything is working normal
>> again. The last messages in the mlogc-error.log are these:
>>
>> [Sat Feb 12 18:56:13 2011] [4] [23028/0] Queue locking thread mutex.
>> [Sat Feb 12 18:56:13 2011] [4] [23028/0] Worker creation started.
>> [Sat Feb 12 18:56:13 2011] [4] [23028/0] Destroying thread_pool.
>> [Sat Feb 12 18:56:15 2011] [5] [23028/6d7ee0] Management thread:
>> Processing
>> [Sat Feb 12 18:56:15 2011] [4] [23028/6d7ee0] Management thread: Creating
>> worker thread to catch up with the queue.
>> [Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation locking thread
>> mutex.
>> [Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation waiting on thread
>> mutex.
>>
>> This seems to be the known problem:
>> http://comments.gmane.org/gmane.comp.apache.mod-security.user/7560
>>
>> but i could not find solution.
>> Short description of my system:
>>
>> mlogc -v
>> ModSecurity Log Collector (mlogc) v2.5.13
>>   APR: compiled="1.3.8"; loaded="1.3.8"
>>  PCRE: compiled="7.8"; loaded="7.8 2008-09-05"
>>  cURL: compiled="7.19.7"; loaded="libcurl/7.19.7 OpenSSL/0.9.8k zlib/
>> 1.2.3.3
>> libidn/1.15"
>>
>> System:         ubuntu 10.04.2 lts x64
>> Apache:         2.2.14
>> Modsecurity:    2.5.13
>> Auditconsole:   0.4.2
>>
>>
>> if you experienced the same how did you solve it?
>>
>> Best Regards
>> George Kobiashvili
>>
>>
>> ------------------------------------------------------------------------------
>> Free Software Download: Index, Search & Analyze Logs and other IT data in
>> Real-Time with Splunk. Collect, index and harness all the fast moving IT
>> data
>> generated by your applications, servers and devices whether physical,
>> virtual
>> or in the cloud. Deliver compliance at lower cost and gain new business
>> insights. http://p.sf.net/sfu/splunk-dev2dev
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> ModSecurity Services from Trustave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
> --
> Homo sapiens non urinat in ventum.
>
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT
> data
> generated by your applications, servers and devices whether physical,
> virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
>

On Mon, Feb 28, 2011 at 8:39 PM, George Kobiashvili
<gkobiashvili@...> wrote:

> This seems to be the known problem:
> http://comments.gmane.org/gmane.comp.apache.mod-security.user/7560

Hi George,

FWIW, I've had this issue when there were a very large number of audit
events queued to be uploaded. I ended up using Chris Bockermann's
excellent jwall-tools tool to temporarily upload the events instead.

--
 - Josh

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi George,

as the others already wrote this is a known issue. It has been around in mlogc
for a long time. Since it seems to be related to concurrency issues, it's hard
to reliably reproduce this.

I am currently working on a syslog- or netcat-receiver within the AuditConsole,
which allows for sending events to the console via a plain syslog command, e.g.
like:

    SecAuditLog "|logger -p local3.info"

Then you can set up syslog or syslog-ng to send events of facility local3 to
the AuditConsole.

Unfortunately, this does not do any buffering if the remote side (AuditConsole)
is temporarily not available. Also, it is in a very early state, but will hopefully
be included in the next release of the AuditConsole.


Best regards,

    Chris



Am 28.02.2011 um 19:39 schrieb George Kobiashvili:

> Hi all
> 
> Sometimes webserver does not respond anymore. Everytime when I check it, there 
> is one mlogc process using 1 cpu by 100% and running forever. Apache is 
> completely blocked. When I kill the process everything is working normal 
> again. The last messages in the mlogc-error.log are these:
> 
> [Sat Feb 12 18:56:13 2011] [4] [23028/0] Queue locking thread mutex.
> [Sat Feb 12 18:56:13 2011] [4] [23028/0] Worker creation started.
> [Sat Feb 12 18:56:13 2011] [4] [23028/0] Destroying thread_pool.
> [Sat Feb 12 18:56:15 2011] [5] [23028/6d7ee0] Management thread: Processing
> [Sat Feb 12 18:56:15 2011] [4] [23028/6d7ee0] Management thread: Creating 
> worker thread to catch up with the queue.
> [Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation locking thread mutex.
> [Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation waiting on thread 
> mutex.
> 
> This seems to be the known problem:  
> http://comments.gmane.org/gmane.comp.apache.mod-security.user/7560
> 
> but i could not find solution. 
> Short description of my system:
> 
> mlogc -v
> ModSecurity Log Collector (mlogc) v2.5.13
>   APR: compiled="1.3.8"; loaded="1.3.8"
>  PCRE: compiled="7.8"; loaded="7.8 2008-09-05"
>  cURL: compiled="7.19.7"; loaded="libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 
> libidn/1.15"
> 
> System:         ubuntu 10.04.2 lts x64
> Apache:         2.2.14
> Modsecurity:    2.5.13
> Auditconsole:   0.4.2
> 
> 
> if you experienced the same how did you solve it?
> 
> Best Regards
> George Kobiashvili
> 
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in 
> Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
> generated by your applications, servers and devices whether physical, virtual
> or in the cloud. Deliver compliance at lower cost and gain new business 
> insights. http://p.sf.net/sfu/splunk-dev2dev 
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFNbBmlpc5/RcXDlTwRAv4gAKCCjC4sG6wPwXNvZ0Gu1K+VPURXYwCfRNlH
C3zNk+pxUKacL9fwVVGKiAs=
=udyu
-----END PGP SIGNATURE-----

Good job Chris

Breno

On Mon, Feb 28, 2011 at 3:54 PM, Christian Bockermann <chris@...:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi George,
>
> as the others already wrote this is a known issue. It has been around in
> mlogc
> for a long time. Since it seems to be related to concurrency issues, it's
> hard
> to reliably reproduce this.
>
> I am currently working on a syslog- or netcat-receiver within the
> AuditConsole,
> which allows for sending events to the console via a plain syslog command,
> e.g.
> like:
>
>    SecAuditLog "|logger -p local3.info"
>
> Then you can set up syslog or syslog-ng to send events of facility local3
> to
> the AuditConsole.
>
> Unfortunately, this does not do any buffering if the remote side
> (AuditConsole)
> is temporarily not available. Also, it is in a very early state, but will
> hopefully
> be included in the next release of the AuditConsole.
>
>
> Best regards,
>
>    Chris
>
>
>
> Am 28.02.2011 um 19:39 schrieb George Kobiashvili:
>
> > Hi all
> >
> > Sometimes webserver does not respond anymore. Everytime when I check it,
> there
> > is one mlogc process using 1 cpu by 100% and running forever. Apache is
> > completely blocked. When I kill the process everything is working normal
> > again. The last messages in the mlogc-error.log are these:
> >
> > [Sat Feb 12 18:56:13 2011] [4] [23028/0] Queue locking thread mutex.
> > [Sat Feb 12 18:56:13 2011] [4] [23028/0] Worker creation started.
> > [Sat Feb 12 18:56:13 2011] [4] [23028/0] Destroying thread_pool.
> > [Sat Feb 12 18:56:15 2011] [5] [23028/6d7ee0] Management thread:
> Processing
> > [Sat Feb 12 18:56:15 2011] [4] [23028/6d7ee0] Management thread: Creating
> > worker thread to catch up with the queue.
> > [Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation locking thread
> mutex.
> > [Sat Feb 12 18:56:15 2011] [4] [23028/0] Worker creation waiting on
> thread
> > mutex.
> >
> > This seems to be the known problem:
> > http://comments.gmane.org/gmane.comp.apache.mod-security.user/7560
> >
> > but i could not find solution.
> > Short description of my system:
> >
> > mlogc -v
> > ModSecurity Log Collector (mlogc) v2.5.13
> >   APR: compiled="1.3.8"; loaded="1.3.8"
> >  PCRE: compiled="7.8"; loaded="7.8 2008-09-05"
> >  cURL: compiled="7.19.7"; loaded="libcurl/7.19.7 OpenSSL/0.9.8k zlib/
> 1.2.3.3
> > libidn/1.15"
> >
> > System:         ubuntu 10.04.2 lts x64
> > Apache:         2.2.14
> > Modsecurity:    2.5.13
> > Auditconsole:   0.4.2
> >
> >
> > if you experienced the same how did you solve it?
> >
> > Best Regards
> > George Kobiashvili
> >
> >
> ------------------------------------------------------------------------------
> > Free Software Download: Index, Search & Analyze Logs and other IT data in
> > Real-Time with Splunk. Collect, index and harness all the fast moving IT
> data
> > generated by your applications, servers and devices whether physical,
> virtual
> > or in the cloud. Deliver compliance at lower cost and gain new business
> > insights. http://p.sf.net/sfu/splunk-dev2dev
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > ModSecurity Services from Trustave's SpiderLabs:
> > https://www.trustwave.com/spiderLabs.php
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iD8DBQFNbBmlpc5/RcXDlTwRAv4gAKCCjC4sG6wPwXNvZ0Gu1K+VPURXYwCfRNlH
> C3zNk+pxUKacL9fwVVGKiAs=
> =udyu
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT
> data
> generated by your applications, servers and devices whether physical,
> virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

I just go around this by using the /mlogc-batch-load.pl provided with
modsecurity, running each 5 min on crontab.

I just need to make a simple patch against it beacuse their regexp
don't get all events:

--- /tmp/mlogc-batch-load.pl    2011-03-02 09:32:10.000000000 -0300
+++ /usr/sbin/mlogc-batch-load.pl       2011-02-21 19:09:42.000000000 -0300
@@ -42,7 +42,7 @@


(($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size) = stat($_)) &&
                        -f _ &&
-                       /^\d{8}-\d+-\w{24}$/s
+                       /^\d{8}-\d+-[\w-@...
                        && (($fn = $File::Find::name) =~ s/^\Q$ROOTDIR\E//)
                        && push(@AUDIT, [$fn, $size]);

the way to get it working is configure modsecurity to put events on
directory "SecAuditLogStorageDir /var/log/mlogc/modsec_audit" and
_don't_ pipe the log to mlogc, i.e. "SecAuditLog
/var/log/mlogc/modsec_audit.log"

Run from times to times...
/usr/sbin/mlogc-batch-load.pl /var/log/mlogc/modsec_audit/
/usr/sbin/mlogc /etc/mlogc.conf

Best regards,

Klaubert


On Mon, Feb 28, 2011 at 6:41 PM, Josh Amishav-Zlatin <jamuse@...> wrote:
> On Mon, Feb 28, 2011 at 8:39 PM, George Kobiashvili
> <gkobiashvili@...> wrote:
>
>> This seems to be the known problem:
>> http://comments.gmane.org/gmane.comp.apache.mod-security.user/7560
>
> Hi George,
>
> FWIW, I've had this issue when there were a very large number of audit
> events queued to be uploaded. I ended up using Chris Bockermann's
> excellent jwall-tools tool to temporarily upload the events instead.
>
> --
>  - Josh
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT data
> generated by your applications, servers and devices whether physical, virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

FYI - this has been fixed already -
https://www.modsecurity.org/tracker/browse/MODSEC-204

It is in the SVN trunk version -
http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/mlogc/
mlogc-batch-load.pl.in?revision=1615

-Ryan



On 3/2/11 7:37 AM, "Klaubert Herr da Silveira" <klaubert@...> wrote:

>I just go around this by using the /mlogc-batch-load.pl provided with
>modsecurity, running each 5 min on crontab.
>
>I just need to make a simple patch against it beacuse their regexp
>don't get all events:
>
>--- /tmp/mlogc-batch-load.pl    2011-03-02 09:32:10.000000000 -0300
>+++ /usr/sbin/mlogc-batch-load.pl       2011-02-21 19:09:42.000000000
>-0300
>@@ -42,7 +42,7 @@
>
>
>(($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size) = stat($_)) &&
>                        -f _ &&
>-                       /^\d{8}-\d+-\w{24}$/s
>+                       /^\d{8}-\d+-[\w-@...
>                        && (($fn = $File::Find::name) =~
>s/^\Q$ROOTDIR\E//)
>                        && push(@AUDIT, [$fn, $size]);
>
>the way to get it working is configure modsecurity to put events on
>directory "SecAuditLogStorageDir /var/log/mlogc/modsec_audit" and
>_don't_ pipe the log to mlogc, i.e. "SecAuditLog
>/var/log/mlogc/modsec_audit.log"
>
>Run from times to times...
>/usr/sbin/mlogc-batch-load.pl /var/log/mlogc/modsec_audit/
>/usr/sbin/mlogc /etc/mlogc.conf
>
>Best regards,
>
>Klaubert
>
>
>On Mon, Feb 28, 2011 at 6:41 PM, Josh Amishav-Zlatin <jamuse@...>
>wrote:
>> On Mon, Feb 28, 2011 at 8:39 PM, George Kobiashvili
>> <gkobiashvili@...> wrote:
>>
>>> This seems to be the known problem:
>>> http://comments.gmane.org/gmane.comp.apache.mod-security.user/7560
>>
>> Hi George,
>>
>> FWIW, I've had this issue when there were a very large number of audit
>> events queued to be uploaded. I ended up using Chris Bockermann's
>> excellent jwall-tools tool to temporarily upload the events instead.
>>
>> --
>>  - Josh
>>
>>
>>-------------------------------------------------------------------------
>>-----
>> Free Software Download: Index, Search & Analyze Logs and other IT data
>>in
>> Real-Time with Splunk. Collect, index and harness all the fast moving
>>IT data
>> generated by your applications, servers and devices whether physical,
>>virtual
>> or in the cloud. Deliver compliance at lower cost and gain new business
>> insights. http://p.sf.net/sfu/splunk-dev2dev
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> ModSecurity Services from Trustave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>--------------------------------------------------------------------------
>----
>Free Software Download: Index, Search & Analyze Logs and other IT data in
>Real-Time with Splunk. Collect, index and harness all the fast moving IT
>data
>generated by your applications, servers and devices whether physical,
>virtual
>or in the cloud. Deliver compliance at lower cost and gain new business
>insights. http://p.sf.net/sfu/splunk-dev2dev
>_______________________________________________
>mod-security-users mailing list
>mod-security-users@...
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>ModSecurity Services from Trustave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php
>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.