Re: [mod-security-users] Log file rotation audit_log

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Breach developed a compiled program called mlogc as a replacement for
the perl script.  You can download it from the BSN site as well.

--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

> -----Original Message-----
> From: John covici [mailto:co...@cc...]
> Sent: Tuesday, November 27, 2007 12:40 PM
> To: Ryan Barnett
> Cc: co...@cc...; Michael Renzmann; mod-security-
> us...@li...
> Subject: RE: [mod-security-users] Log file rotation audit_log
>=20
> I don't have a mlog.conf -- is there a new Perl program for the
> sensor that one could use with the community console?  Also, once the
> database is created are the diskfiles such as the index and the
> subdirectories created by mod-security any longer necessary?  If not,
> I could just delete them daily.
>=20
> on Tuesday 11/27/2007 Ryan Barnett(Ryan.Barnett@Breach.com) wrote
>  > This scenario is one of the main benefits of using the commercial
>  > management appliance -
>  > http://www.breach.com/products/modsecurity-management.html.  If you
are
>  > sending your audit logs from your local sensor to a remote MMA,
then
> you
>  > can reconfigure mlogc.conf to actually purge/delete the local files
>  > after it successfully sends them to the MMA.  This helps to deal
with
>  > local disk space issues.
>  >
>  > If you are interested in this approach, you should try out the free
>  > community console and see how this all works.  You can download it
from
>  > BSN - https://bsn.breach.com/account/login.php
>  >
>  > --
>  > Ryan C. Barnett
>  > ModSecurity Community Manager
>  > Breach Security: Director of Training
>  > Web Application Security Consortium (WASC) Member
>  > CIS Apache Benchmark Project Lead
>  > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
>  > Author: Preventing Web Attacks with Apache
>  >
>  > > -----Original Message-----
>  > > From: mod...@li...
[mailto:mod-
>  > > sec...@li...] On Behalf Of John
> covici
>  > > Sent: Tuesday, November 27, 2007 2:21 AM
>  > > To: Michael Renzmann
>  > > Cc: mod...@li...;
co...@cc...
>  > > Subject: Re: [mod-security-users] Log file rotation audit_log
>  > >
>  > > Right now I just look at them searching for critical errors or
things
>  > > of severity error.  But the real problem is managing all those
>  > > directories  when the logging is concurrent and keeping the index
>  > > consistent at the same time -- seems quite complicated to me,
> although
>  > > I sort of see how to do it, but this was my original question as
to
>  > > what others had done with the concurrent logs.  After all you
have
> one
>  > > directory for each minute of operation!
>  > >
>  > >
>  > > on Tuesday 11/27/2007 Michael Renzmann(mre...@ot...)
wrote
>  > >  > Hi.
>  > >  >
>  > >  > > No, I just rotate them on a weekly basis which works out for
me
>  > > pretty
>  > >  > > well.  For instance when I was doing concurrent logging, it
was
>  > about
>  > >  > > 300mb per day which is much more than the apache logs ever
were.
>  > >  >
>  > >  > No surprise here, since the audit logs contain much more
>  > information
>  > > than
>  > >  > the usual Apache access logs.
>  > >  >
>  > >  > How are you using your audit logs? Do you have some tool that
>  > accesses
>  > >  > them or are you looking at them "manually"? How often do you
> access
>  > the
>  > >  > logs (or let the tool access them), and how long do you intend
to
>  > > retain
>  > >  > the logs?
>  > >  >
>  > >  > Bye, Mike
>  > >
>  > > --
>  > > Your life is like a penny.  You're going to lose it.  The
question
> is:
>  > > How do
>  > > you spend it?
>  > >
>  > >          John Covici
>  > >          co...@cc...
>  > >
>  > >
>  >
-----------------------------------------------------------------------
> -
>  > -
>  > > This SF.net email is sponsored by: Microsoft
>  > > Defy all challenges. Microsoft(R) Visual Studio 2005.
>  > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>  > > _______________________________________________
>  > > mod-security-users mailing list
>  > > mod...@li...
>  > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>=20
> --
> Your life is like a penny.  You're going to lose it.  The question is:
> How do
> you spend it?
>=20
>          John Covici
>          co...@cc...