Re: [mod-security-users] {Disarmed} Re: Broke mlogc
Brought to you by:
victorhora,
zimmerletw
From: Dimitri Y. <dyi...@fi...> - 2010-02-10 19:03:49
|
J, I can access the console. However, there've been no new dtata reported in it since I broke mlogc. Dimitri On Wed, 10 Feb 2010 20:37:59 +0200, Jamuse wrote > Hey Dimitri, > > Can you confirm that your console is running properly? Can you access the > administrative console via your web browser? > > - J > > On Wed, Feb 10, 2010 at 5:33 PM, Dimitri Yioulos <dyi...@fi...>wrote: > > > Chris, > > > > Here's my mlogc.conf: > > > > CollectorRoot "/var/log/mlogc" > > > > ConsoleURI "http://192.168.1.3:8886/rpc/auditLogReceiver" > > > > SensorUsername "xxxxxxx" > > SensorPassword "yyyyyyy" > > > > LogStorageDir "data" > > > > TransactionLog "mlogc-transaction.log" > > > > QueuePath "mlogc-queue.log" > > > > ErrorLog "mlogc-error.log" > > > > LockFile "mlogc.lck" > > > > KeepEntries 0 > > > > ErrorLogLevel 3 > > > > MaxConnections 10 > > > > TransactionDelay 50 > > > > StartupDelay 1000 > > > > CheckpointInterval 15 > > > > ServerErrorTimeout 60 > > > > I didn't change ot from that of the previous version. Nor did I change > > anything having > > to do with the console itself. I did a diff modsecurity.conf-minimal and > > my > > modsecurity.conf, and made appropriate changes (I checked for typos, etc.). > > I did as > > Jamuse suggested, and upped the log level of mlogc, and have posted output > > to pastebin > > (http://pastebin.com/d48d02659). Looking forward to everyone's analysis. > > > > Dimitri > > > > > > On Wed, 10 Feb 2010 13:17:59 +0100, Christian Bockermann wrote > > > Hi Dimitri, > > > > > > these error indicate that the ModSecurity Console was unable to process > > > the incoming data. That's why it rejected the events and mlogc flagged > > the > > > console as "errored". > > > (mlogc is trying to send the same event over and over again) > > > > > > Did you modify your mlogc-configuration or the ModSecurity console before > > > getting these errors? > > > > > > Some more information about your setup would help: especially the > > mlogc-config > > > (without passwords). > > > > > > Best regards, > > > Chris > > > > > > Am 09.02.2010 um 23:06 schrieb Dimitri Yioulos: > > > > > > > Greetz, all. > > > > > > > > Well, here we go again. I was looking to upgrade > > > > modsec to the latest and greatest from version > > > > 2.5.9. All of the pieces are where they should > > > > be, and config files (I believe) correct, but now > > > > I'm geeting no output to the modsecurity console, > > > > and am getting this in mlogc-log.error: > > > > > > > > [Tue Feb 09 17:00:37 2010] [2] [12366/9b678a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > > > > response code 500: Internal Server Error > > > > [Tue Feb 09 17:00:37 2010] [2] [12369/8f308a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > > > > response code 500: Internal Server Error > > > > [Tue Feb 09 17:01:42 2010] [2] [12366/9b678a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > > > > response code 500: Internal Server Error > > > > [Tue Feb 09 17:01:42 2010] [2] [12369/8f308a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > > > > response code 500: Internal Server Error > > > > [Tue Feb 09 17:02:47 2010] [2] [12366/9b678a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > > > > response code 500: Internal Server Error > > > > [Tue Feb 09 17:02:47 2010] [2] [12369/8f308a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > > > > response code 500: Internal Server Error > > > > [Tue Feb 09 17:03:52 2010] [2] [12366/9b678a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > > > > response code 500: Internal Server Error > > > > [Tue Feb 09 17:03:52 2010] [2] [12369/8f308a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > > > > response code 500: Internal Server Error > > > > [Tue Feb 09 17:04:57 2010] [2] [12366/9b678a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG with HTTP > > > > response code 500: Internal Server Error > > > > [Tue Feb 09 17:04:57 2010] [2] [12369/8f308a8] > > > > Flagging server as errored after failure to > > > > submit entry SM4XTcCoAQMAAHNbbhYAAAAG (cURL code > > > > 55): select/poll returned error > > > > > > > > How might I fix what I messed up. > > > > > > > > Thanks. > > > > > > > > Dimitri > > > > > > > > -- > > > > This message has been scanned for viruses and > > > > dangerous content by MailScanner, and is > > > > believed to be clean. > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > SOLARIS 10 is the OS for Data Centers - provides features such as > > DTrace, > > > > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > > > > http://p.sf.net/sfu/solaris-dev2dev > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Appliances, Rule Sets and Support: > > > > http://www.modsecurity.org/breach/index.html > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by MailScanner, and is > > > believed to be clean. > > > > > > -- > > Dimitri Yioulos, CIO > > First 1 Financial Corporation > > 600 Cordwainer Dr. > > Norwell, MA 02061 > > > > 781-871-4220 x1007 > > dyi...@fi... > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > ------------------------------------------------------------------------------ > > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > > http://p.sf.net/sfu/solaris-dev2dev > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Appliances, Rule Sets and Support: > > http://www.modsecurity.org/breach/index.html > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- Dimitri Yioulos, CIO First 1 Financial Corporation 600 Cordwainer Dr. Norwell, MA 02061 781-871-4220 x1007 dyi...@fi... -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |