Hi Brian,

Apache development is telling me that piped logging - for Apache on Windows is broken - period.
I think you should test your Perl script - at Breach - on some "NT/XP/200x" generation Windows box and verify for yourselves if your script works.

I suspect that - no - apache will not pipe to your script - as is - on Windows machines.
Breach should state this in their release notes/documentation -- "Windows not Supported at this time - don't waste your time".

All I want to know is:
1) Have you tested the script at Breach on a Windows box -- and does it work for you ?
2) Is Windows a supported platform -- for the ModSecurityConsole log collection perl script ?

We don't pay for Breach support yet -- so I don't expect anyone to provide me with patches;  however, I'm sure your paying customers will want to know the answers to 1) & 2).....

As much as I appreciate you forwarding the diff file - I think you guys should be testing / applying the patch to your systems.
The fact that such a patch exists -- suggests there is a possibility that maybe it should be incorporated into your future releases - no ?
Lucky I have Cygwin installed on my windows box -- this is what I get when I try to apply the patch:
      >> $ patch -i modsec-auditlog-collector.pl.diff
      >>patching file modsec-auditlog-collector.pl
      >>Hunk #3 FAILED at 77.
      >>Hunk #4 succeeded at 108 (offset 2 lines).
      >>Hunk #5 FAILED at 123.
      >>Hunk #6 succeeded at 195 (offset 8 lines).
      >>Hunk #7 FAILED at 211.
      >>3 out of 7 hunks FAILED -- saving rejects to file modsec-auditlog-collector.pl.rej

* I'll dig through the diff later tonight and try to merge the changes manually -- just to see if it works.
* I'll also try wrapping the script in a *.bat file to see if that helps.... and a number of other ideas I have....

I'll let you know if things work for me -- but really -- this shouldn't be so hard.....

Either:
A) it works for you on Windows -- and I'm left to fend for myself -- that's my problem -- no problem.
OR
B) It's broken for you and everyone else as well -- in which case -- I move on and use another approach to manage the log files....

Thanks
Frank





> Date: Fri, 29 Jun 2007 09:50:19 -0400
> From: Brian.Rectanus@breach.com
> To: frankmisa@hotmail.com
> CC: mod-security-users@lists.sourceforge.net
> Subject: Re: [mod-security-users] Perl script issues - running ModSecurityConsole on a Windows box.
>
> Aleksey Yudin (http://www.ptsecurity.ru) sent a patch a while back on
> the list. I attached it, but have not tested it.
>
> -B
>
> Frank Misa wrote:
> > Hi All,
> >
> > FYI
> >
> > Piped logging is broken on Apache/WindowsNT -- I've found several BUGs
> > logged against this issue -- and many posts on the Apache forums
> > discussing problems with piped logs.
> >
> > I've attached some feedback I've received from the Apache group below....
> >
> > As a workaround -- can the Breach development team -- modify the Perl
> > script so that it can be run as a cron/scheduled job on the Windows
> > platform ? That would help -- in the meantime -- I'll work around this
> > issue in other ways....
> >
> > Thanks all for your help....
> > Cheers
> > Frank
> >
> > The following directive crashes both versions of Apache for me - on
> > WinXP and Win2003....
> >>>SecAuditLog "|C:/Perl/bin/perl.exe
> > C:/fmm/ApacheSSL224/bin/modsec-auditlog-collector.pl"
> >
> > Apache 2.0.59 faults:
> >>>Faulting application httpd.exe, version 2.2.4.0, faulting module
> > libapr-1.dll, version 1.2.8.0, fault address 0x00004c80.
> >
> > Apache 2.2.4 faults:
> >>>Faulting application Apache.exe, version 2.0.59.200, faulting module
> > libapr.dll, version 0.9.12.0, fault address 0x0000d6f0.
> >
> > ------------------------------------------------------------------------
> >
> > > From: sctemme@apache.org
> > > Date: Thu, 28 Jun 2007 09:38:39 -0700
> > > To: users@httpd.apache.org
> > > Subject: Re: [users@httpd] Does Apache Support Piped Logs On
> > Windows Platform
> > >
> > > Frank,
> > >
> > > On Jun 28, 2007, at 9:22 AM, Frank Misa wrote:
> > >
> > > > I've seen many references to Apache issues with logging to piped
> > > > processes on the forums; but no clear answer on whether this is
> > > > supported or not.
> > > > Can someone here please confirm -- Yes/No...
> > > > Do the latest versions of Apache 2.0.x OR Apache 2.2.x support
> > > > piped logs on Windows ?
> > >
> > > Piped logs are currently effectively broken on Windows, due to the
> > > way we do or don't pass valid file descriptors to the called process
> > > for stdout and stderr. Others more knowledgeable than myself can
> > > elucidate on this more eloquently than I can.
> > >
> > > We're trying to fix it, but that hasn't happened so far. If you want
> > > to rotate your log files, the best approach is currently to rename
> > > them and then send your httpd service a restart signal using
> > >
> > > \path\to\httpd -n Apache2 -k restart
> > >
> > > with the name of the Windows Service as argument to the -n
> > > parameter. You can script this in any language that pleases you, and
> > > run it periodically in the Windows Scripting Host.
> > >
> > > > >>SecAuditLog "|C:/Perl/bin/perl.exe
> > C:/fmm/ApacheSSL224/bin/modsec-
> > > > auditlog-collector.pl"
> > >
> > > I haven't reviewed mod_security to this extent but does it use the
> > > Apache logging APIs? Or does it do its own thing?
> > >
> > > S.
> > >
> > > --
> > > Sander Temme
> > > sctemme@apache.org
> > > PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
> > >
> > >
> > >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >> Date: Sat, 23 Jun 2007 22:20:32 -0400
> >> From: Brian.Rectanus@breach.com
> >> To: frankmisa@hotmail.com
> >> CC: Ryan.Barnett@Breach.com; mod-security-users@lists.sourceforge.net
> >> Subject: Re: [mod-security-users] Perl script issues - running
> > ModSecurityConsole on a Windows box.
> >>
> >> Sorry Frank. I am out-of-town until Tue. I'll look more then.
> >>
> >> -B
> >>
> >> Ryan Barnett wrote:
> >> > Frank,
> >> >
> >> > We will do our best, but please understand that the support that is
> >> > given to open source Mod users is “best effort”. This is no different
> >> > then any other open source project. Yes, we do work for breach and this
> >> > means that we are wearing multiple hats and also working on the
> >> > commercial task items as well. We are normally very responsive to
> >> > questions, issues, etc… but it can take a bit more time to setup
> >> > different configurations and test them out. If you feel that the open
> >> > source support is not adequate for your needs and timelines, you may
> >> > want to consider purchasing commercial ModSecurity support.
> >> >
> >> >
> >> >
> >> > --
> >> > */Ryan C. Barnett
> >> > /*ModSecurity Community Manager
> >> >
> >> > Breach Security: Director of Application Security Training
> >> > Web Application Security Consortium (WASC) Member
> >> > CIS Apache Benchmark Project Lead
> >> > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> >> >
> >> > Author: Preventing Web Attacks with Apache
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > ------------------------------------------------------------------------
> >> >
> >> > *From:* Frank Misa [mailto:frankmisa@hotmail.com]
> >> > *Sent:* Friday, June 22, 2007 1:18 PM
> >> > *To:* Ryan Barnett; Brian Rectanus;
> > mod-security-users@lists.sourceforge.net
> >> > *Subject:* RE: [mod-security-users] Perl script issues - running
> >> > ModSecurityConsole on a Windows box.
> >> >
> >> >
> >> >
> >> > Hi Ryan, Brian:
> >> >
> >> > OK - I can run from command-line now -- but now I'm back at square one
> >> > -- Apache on Windows will not start if I configure my system as you
> >> > suggest here:
> >> > http://www.modsecurity.org/blog/archives/2007/03/modsecurity_con_1.html
> >> >
> >> >
> >> > You two guys are the only ones who have shown an interest in my
> >> > question. I'm grateful...
> >> > You both work for Breach -- can you PLEASE configure an Windows/Apache
> >> > box..... and confirm that you too are not seeing the same error ?
> >> > If it works for you then I'll drop this issue -- and pursue another
> >> > avenue to parse/analyze the logs files I've generated.
> >> >
> >> > ============================================
> >> > 1) I can now run the perl script from command line like this:
> >> > type C:\apache\logs\modSecurity\auditlog\modsec_audit.log |
> >> > c:\Perl\bin\perl.exe modsec-auditlog-collector.pl
> >> > C:\apache\logs\modSecurity\audit
> >> > C:\apache\logs\modSecurity\auditlog\modsec_audit.log
> >> >
> >> > NOTE: Even though the system initially complains about: "Failed
> >> > processing RPC request: Failed to rename file from"
> >> > Files ARE actually accumulating in the modSecurityConsole
> >> > ...\var\data\main\console\logs\pending directory -- great.
> >> > The UI looks - now - like it's getting some data - please see
> > screenshot:
> >> >
> >> >
> >> > ============================================
> >> > 2) When I configure my Apache/Windows system like this:
> >> > From: httpd.conf
> >> >>><IfModule mod_security2.c>
> >> >>> Include "C:/apache/conf/modsecurity/*.conf"
> >> >>></IfModule>
> >> >
> >> > From: modsecurity_crs_10_config.conf
> >> >>>SecAuditLog "|C:/Perl/bin/perl.exe
> >> > C:/apache/bin/modsec-auditlog-collector.pl
> >> > C:/apache/logs/modSecurity/audit
> >> > C:/apache/logs/modSecurity/auditlog/audit.log"
> >> >
> >> > I cannot start Apache -- no error on console running:
> >> >>>C:\apache\bin>Apache -S
> >> >>>C:\apache\bin>
> >> >
> >> > But the event viewer displays:
> >> >>>Faulting application Apache.exe, version 2.0.59.200, faulting module
> >> > libapr.dll, version 0.9.12.0, fault address 0x0000d6f0.
> >> >
> >> > Thanks
> >> > Frank
> >> >
> >> > ------------------------------------------------------------------------
> >> >
> >> > Explore the seven wonders of the world Learn more!
> >> >
> > <http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE>
> >> >
> >>
> >>
> >> --
> >> Brian Rectanus
> >> Breach Security
> >
> > ------------------------------------------------------------------------
> > Connect to the next generation of MSN Messenger Get it now!
> > <http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline>
>
>
> --
> Brian Rectanus
> Breach Security


Get news, entertainment and everything you care about at Live.com. Check it out!