Hi All,

FYI

Piped logging is broken on Apache/WindowsNT -- I've found several BUGs logged against this issue -- and many posts on the Apache forums discussing problems with piped logs.

I've attached some feedback I've received from the Apache group below....

As a workaround -- can the Breach development team -- modify the Perl script so that it can be run as a cron/scheduled job on the Windows platform ?  That would help -- in the meantime -- I'll work around this issue in other ways....

Thanks all for your help....
Cheers
Frank

The following directive crashes both versions of Apache for me - on WinXP and Win2003....
>>SecAuditLog "|C:/Perl/bin/perl.exe C:/fmm/ApacheSSL224/bin/modsec-auditlog-collector.pl"

Apache 2.0.59 faults:
>>Faulting application httpd.exe, version 2.2.4.0, faulting module libapr-1.dll, version 1.2.8.0, fault address 0x00004c80.

Apache 2.2.4 faults:
>>Faulting application Apache.exe, version 2.0.59.200, faulting module libapr.dll, version 0.9.12.0, fault address 0x0000d6f0.


> From: sctemme@apache.org
> Date: Thu, 28 Jun 2007 09:38:39 -0700
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Does Apache Support Piped Logs On Windows Platform
>
> Frank,
>
> On Jun 28, 2007, at 9:22 AM, Frank Misa wrote:
>
> > I've seen many references to Apache issues with logging to piped
> > processes on the forums; but no clear answer on whether this is
> > supported or not.
> > Can someone here please confirm -- Yes/No...
> > Do the latest versions of Apache 2.0.x OR Apache 2.2.x support
> > piped logs on Windows ?
>
> Piped logs are currently effectively broken on Windows, due to the
> way we do or don't pass valid file descriptors to the called process
> for stdout and stderr. Others more knowledgeable than myself can
> elucidate on this more eloquently than I can.
>
> We're trying to fix it, but that hasn't happened so far. If you want
> to rotate your log files, the best approach is currently to rename
> them and then send your httpd service a restart signal using
>
> \path\to\httpd -n Apache2 -k restart
>
> with the name of the Windows Service as argument to the -n
> parameter. You can script this in any language that pleases you, and
> run it periodically in the Windows Scripting Host.
>
> > >>SecAuditLog "|C:/Perl/bin/perl.exe C:/fmm/ApacheSSL224/bin/modsec-
> > auditlog-collector.pl"
>
> I haven't reviewed mod_security to this extent but does it use the
> Apache logging APIs? Or does it do its own thing?
>
> S.
>
> --
> Sander Temme
> sctemme@apache.org
> PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>
>
>




> Date: Sat, 23 Jun 2007 22:20:32 -0400
> From: Brian.Rectanus@breach.com
> To: frankmisa@hotmail.com
> CC: Ryan.Barnett@Breach.com; mod-security-users@lists.sourceforge.net
> Subject: Re: [mod-security-users] Perl script issues - running ModSecurityConsole on a Windows box.
>
> Sorry Frank. I am out-of-town until Tue. I'll look more then.
>
> -B
>
> Ryan Barnett wrote:
> > Frank,
> >
> > We will do our best, but please understand that the support that is
> > given to open source Mod users is “best effort”. This is no different
> > then any other open source project. Yes, we do work for breach and this
> > means that we are wearing multiple hats and also working on the
> > commercial task items as well. We are normally very responsive to
> > questions, issues, etc… but it can take a bit more time to setup
> > different configurations and test them out. If you feel that the open
> > source support is not adequate for your needs and timelines, you may
> > want to consider purchasing commercial ModSecurity support.
> >
> >
> >
> > --
> > */Ryan C. Barnett
> > /*ModSecurity Community Manager
> >
> > Breach Security: Director of Application Security Training
> > Web Application Security Consortium (WASC) Member
> > CIS Apache Benchmark Project Lead
> > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> >
> > Author: Preventing Web Attacks with Apache
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > *From:* Frank Misa [mailto:frankmisa@hotmail.com]
> > *Sent:* Friday, June 22, 2007 1:18 PM
> > *To:* Ryan Barnett; Brian Rectanus; mod-security-users@lists.sourceforge.net
> > *Subject:* RE: [mod-security-users] Perl script issues - running
> > ModSecurityConsole on a Windows box.
> >
> >
> >
> > Hi Ryan, Brian:
> >
> > OK - I can run from command-line now -- but now I'm back at square one
> > -- Apache on Windows will not start if I configure my system as you
> > suggest here:
> > http://www.modsecurity.org/blog/archives/2007/03/modsecurity_con_1.html
> >
> >
> > You two guys are the only ones who have shown an interest in my
> > question. I'm grateful...
> > You both work for Breach -- can you PLEASE configure an Windows/Apache
> > box..... and confirm that you too are not seeing the same error ?
> > If it works for you then I'll drop this issue -- and pursue another
> > avenue to parse/analyze the logs files I've generated.
> >
> > ============================================
> > 1) I can now run the perl script from command line like this:
> > type C:\apache\logs\modSecurity\auditlog\modsec_audit.log |
> > c:\Perl\bin\perl.exe modsec-auditlog-collector.pl
> > C:\apache\logs\modSecurity\audit
> > C:\apache\logs\modSecurity\auditlog\modsec_audit.log
> >
> > NOTE: Even though the system initially complains about: "Failed
> > processing RPC request: Failed to rename file from"
> > Files ARE actually accumulating in the modSecurityConsole
> > ...\var\data\main\console\logs\pending directory -- great.
> > The UI looks - now - like it's getting some data - please see screenshot:
> >
> >
> > ============================================
> > 2) When I configure my Apache/Windows system like this:
> > From: httpd.conf
> >>><IfModule mod_security2.c>
> >>> Include "C:/apache/conf/modsecurity/*.conf"
> >>></IfModule>
> >
> > From: modsecurity_crs_10_config.conf
> >>>SecAuditLog "|C:/Perl/bin/perl.exe
> > C:/apache/bin/modsec-auditlog-collector.pl
> > C:/apache/logs/modSecurity/audit
> > C:/apache/logs/modSecurity/auditlog/audit.log"
> >
> > I cannot start Apache -- no error on console running:
> >>>C:\apache\bin>Apache -S
> >>>C:\apache\bin>
> >
> > But the event viewer displays:
> >>>Faulting application Apache.exe, version 2.0.59.200, faulting module
> > libapr.dll, version 0.9.12.0, fault address 0x0000d6f0.
> >
> > Thanks
> > Frank
> >
> > ------------------------------------------------------------------------
> >
> > Explore the seven wonders of the world Learn more!
> > <http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE>
> >
>
>
> --
> Brian Rectanus
> Breach Security


Connect to the next generation of MSN Messenger  Get it now!