Re: [mod-security-users] Log file rotation audit_log
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-11-27 17:47:07
|
Breach developed a compiled program called mlogc as a replacement for the perl script. You can download it from the BSN site as well. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache > -----Original Message----- > From: John covici [mailto:co...@cc...] > Sent: Tuesday, November 27, 2007 12:40 PM > To: Ryan Barnett > Cc: co...@cc...; Michael Renzmann; mod-security- > us...@li... > Subject: RE: [mod-security-users] Log file rotation audit_log >=20 > I don't have a mlog.conf -- is there a new Perl program for the > sensor that one could use with the community console? Also, once the > database is created are the diskfiles such as the index and the > subdirectories created by mod-security any longer necessary? If not, > I could just delete them daily. >=20 > on Tuesday 11/27/2007 Ryan Barnett(Ryan.Barnett@Breach.com) wrote > > This scenario is one of the main benefits of using the commercial > > management appliance - > > http://www.breach.com/products/modsecurity-management.html. If you are > > sending your audit logs from your local sensor to a remote MMA, then > you > > can reconfigure mlogc.conf to actually purge/delete the local files > > after it successfully sends them to the MMA. This helps to deal with > > local disk space issues. > > > > If you are interested in this approach, you should try out the free > > community console and see how this all works. You can download it from > > BSN - https://bsn.breach.com/account/login.php > > > > -- > > Ryan C. Barnett > > ModSecurity Community Manager > > Breach Security: Director of Training > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > > > > -----Original Message----- > > > From: mod...@li... [mailto:mod- > > > sec...@li...] On Behalf Of John > covici > > > Sent: Tuesday, November 27, 2007 2:21 AM > > > To: Michael Renzmann > > > Cc: mod...@li...; co...@cc... > > > Subject: Re: [mod-security-users] Log file rotation audit_log > > > > > > Right now I just look at them searching for critical errors or things > > > of severity error. But the real problem is managing all those > > > directories when the logging is concurrent and keeping the index > > > consistent at the same time -- seems quite complicated to me, > although > > > I sort of see how to do it, but this was my original question as to > > > what others had done with the concurrent logs. After all you have > one > > > directory for each minute of operation! > > > > > > > > > on Tuesday 11/27/2007 Michael Renzmann(mre...@ot...) wrote > > > > Hi. > > > > > > > > > No, I just rotate them on a weekly basis which works out for me > > > pretty > > > > > well. For instance when I was doing concurrent logging, it was > > about > > > > > 300mb per day which is much more than the apache logs ever were. > > > > > > > > No surprise here, since the audit logs contain much more > > information > > > than > > > > the usual Apache access logs. > > > > > > > > How are you using your audit logs? Do you have some tool that > > accesses > > > > them or are you looking at them "manually"? How often do you > access > > the > > > > logs (or let the tool access them), and how long do you intend to > > > retain > > > > the logs? > > > > > > > > Bye, Mike > > > > > > -- > > > Your life is like a penny. You're going to lose it. The question > is: > > > How do > > > you spend it? > > > > > > John Covici > > > co...@cc... > > > > > > > > ----------------------------------------------------------------------- > - > > - > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2005. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >=20 > -- > Your life is like a penny. You're going to lose it. The question is: > How do > you spend it? >=20 > John Covici > co...@cc... |