Re: [mod-security-users] {Disarmed} Re: Broke mlogc
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] {Disarmed} Re: Broke mlogc
|
From: Dimitri Y. <dyi...@fi...> - 2010-02-11 15:15:07
|
Hi, Ivan.
Sure enough, there are exceptions listed in
debug.log.0:
Feb 10, 2010 6:34:48 PM
org.mortbay.http.HttpConnection exception
WARNING: PUT /rpc/auditLogReceiver HTTP/1.1
java.lang.NumberFormatException: For input
string: "6966436955734"
at
java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
at
java.lang.Integer.parseInt(Integer.java:459)
at
java.lang.Integer.parseInt(Integer.java:497)
at
org.mortbay.http.HttpFields.getIntField(HttpFields.java:986)
at
org.mortbay.http.HttpMessage.getIntField(HttpMessage.java:333)
at
org.mortbay.http.HttpConnection.verifyHTTP_1_1
(HttpConnection.java:482)
at
org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:969)
at
org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)
at
org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)
at
org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)
at
org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)
Feb 10, 2010 6:34:48 PM
org.mortbay.http.HttpConnection exception
WARNING: PUT /rpc/auditLogReceiver HTTP/1.1
java.lang.NumberFormatException: For input
string: "7052336301674"
at
java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
at
java.lang.Integer.parseInt(Integer.java:459)
at
java.lang.Integer.parseInt(Integer.java:497)
at
org.mortbay.http.HttpFields.getIntField(HttpFields.java:986)
at
org.mortbay.http.HttpMessage.getIntField(HttpMessage.java:333)
at
org.mortbay.http.HttpConnection.verifyHTTP_1_1
(HttpConnection.java:482)
at
org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:969)
at
org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)
at
org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)
at
org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)
at
org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)
and in stderr.log:
Velocity message: 1 Velocimacro : initialization
starting.
Velocity message: 1 Velocimacro : adding VMs from
VM library template : VM_global_library.vm
Velocity message: 3 ResourceManager : unable to
find resource 'VM_global_library.vm' in any
resource loader.
Velocity message: 1 Velocimacro : error using VM
library template VM_global_library.vm :
org.apache.velocity.exception.Reso
urceNotFoundException: Unable to find
resource 'VM_global_library.vm'
Velocity message: 1 Velocimacro : VM library
template macro registration complete.
Additionally, if this will help:
java version "1.5.0_08"
modsecurity-console version 1.02 (later versions
didn't work for me)
Continuing help much appreciated.
Dimitri
On Wednesday 10 February 2010 5:43:05 pm you
wrote:
> And you have no administrative events on the
> home page of the console (in the lower area)?
>
> You should go to CONSOLEHOME/var/logs and look
> at stderr.log and debug.log.0. There's going to
> be an exception there that describes the
> problem.
>
> On Wed, Feb 10, 2010 at 7:03 PM, Dimitri Yioulos
<dyi...@fi...> wrote:
> > J,
> >
> > I can access the console. However, there've
> > been no new dtata reported in it since I
> > broke mlogc.
> >
> > Dimitri
> >
> >
> > On Wed, 10 Feb 2010 20:37:59 +0200, Jamuse
> > wrote
> >
> >> Hey Dimitri,
> >>
> >> Can you confirm that your console is running
> >> properly? Can you access the administrative
> >> console via your web browser?
> >>
> >> - J
> >>
> >> On Wed, Feb 10, 2010 at 5:33 PM, Dimitri
Yioulos <dyi...@fi...>wrote:
> >> > Chris,
> >> >
> >> > Here's my mlogc.conf:
> >> >
> >> > CollectorRoot "/var/log/mlogc"
> >> >
> >> > ConsoleURI
> >> > "http://192.168.1.3:8886/rpc/auditLogRece
> >> >iver"
> >> >
> >> > SensorUsername "xxxxxxx"
> >> > SensorPassword "yyyyyyy"
> >> >
> >> > LogStorageDir "data"
> >> >
> >> > TransactionLog
> >> > "mlogc-transaction.log"
> >> >
> >> > QueuePath "mlogc-queue.log"
> >> >
> >> > ErrorLog "mlogc-error.log"
> >> >
> >> > LockFile "mlogc.lck"
> >> >
> >> > KeepEntries 0
> >> >
> >> > ErrorLogLevel 3
> >> >
> >> > MaxConnections 10
> >> >
> >> > TransactionDelay 50
> >> >
> >> > StartupDelay 1000
> >> >
> >> > CheckpointInterval 15
> >> >
> >> > ServerErrorTimeout 60
> >> >
> >> > I didn't change ot from that of the
> >> > previous version. Nor did I change
> >> > anything having
> >> > to do with the console itself. I did a
> >> > diff modsecurity.conf-minimal and my
> >> > modsecurity.conf, and made appropriate
> >> > changes (I checked for typos, etc.). I did
> >> > as
> >> > Jamuse suggested, and upped the log level
> >> > of mlogc, and have posted output to
> >> > pastebin
> >> > (http://pastebin.com/d48d02659). Looking
> >> > forward to everyone's analysis.
> >> >
> >> > Dimitri
> >> >
> >> >
> >> > On Wed, 10 Feb 2010 13:17:59 +0100,
> >> > Christian Bockermann wrote
> >> >
> >> > > Hi Dimitri,
> >> > >
> >> > > these error indicate that the
> >> > > ModSecurity Console was unable to
> >> > > process the incoming data. That's why it
> >> > > rejected the events and mlogc flagged
> >> >
> >> > the
> >> >
> >> > > console as "errored".
> >> > > (mlogc is trying to send the same event
> >> > > over and over again)
> >> > >
> >> > > Did you modify your mlogc-configuration
> >> > > or the ModSecurity console before
> >> > > getting these errors?
> >> > >
> >> > > Some more information about your setup
> >> > > would help: especially the
> >> >
> >> > mlogc-config
> >> >
> >> > > (without passwords).
> >> > >
> >> > > Best regards,
> >> > > Chris
> >> > >
> >> > > Am 09.02.2010 um 23:06 schrieb Dimitri
Yioulos:
> >> > > > Greetz, all.
> >> > > >
> >> > > > Well, here we go again. I was looking
> >> > > > to upgrade modsec to the latest and
> >> > > > greatest from version 2.5.9. All of
> >> > > > the pieces are where they should be,
> >> > > > and config files (I believe) correct,
> >> > > > but now I'm geeting no output to the
> >> > > > modsecurity console, and am getting
> >> > > > this in mlogc-log.error:
> >> > > >
> >> > > > [Tue Feb 09 17:00:37 2010] [2]
> >> > > > [12366/9b678a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP
> >> > > > response code 500: Internal Server
> >> > > > Error [Tue Feb 09 17:00:37 2010] [2]
> >> > > > [12369/8f308a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP
> >> > > > response code 500: Internal Server
> >> > > > Error [Tue Feb 09 17:01:42 2010] [2]
> >> > > > [12366/9b678a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP
> >> > > > response code 500: Internal Server
> >> > > > Error [Tue Feb 09 17:01:42 2010] [2]
> >> > > > [12369/8f308a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP
> >> > > > response code 500: Internal Server
> >> > > > Error [Tue Feb 09 17:02:47 2010] [2]
> >> > > > [12366/9b678a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP
> >> > > > response code 500: Internal Server
> >> > > > Error [Tue Feb 09 17:02:47 2010] [2]
> >> > > > [12369/8f308a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP
> >> > > > response code 500: Internal Server
> >> > > > Error [Tue Feb 09 17:03:52 2010] [2]
> >> > > > [12366/9b678a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP
> >> > > > response code 500: Internal Server
> >> > > > Error [Tue Feb 09 17:03:52 2010] [2]
> >> > > > [12369/8f308a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP
> >> > > > response code 500: Internal Server
> >> > > > Error [Tue Feb 09 17:04:57 2010] [2]
> >> > > > [12366/9b678a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG with HTTP
> >> > > > response code 500: Internal Server
> >> > > > Error [Tue Feb 09 17:04:57 2010] [2]
> >> > > > [12369/8f308a8] Flagging server as
> >> > > > errored after failure to submit entry
> >> > > > SM4XTcCoAQMAAHNbbhYAAAAG (cURL code
> >> > > > 55): select/poll returned error
> >> > > >
> >> > > > How might I fix what I messed up.
> >> > > >
> >> > > > Thanks.
> >> > > >
> >> > > > Dimitri
> >> > > >
> >> > > > --
> >> > > > This message has been scanned for
> >> > > > viruses and dangerous content by
> >> > > > MailScanner, and is believed to be
> >> > > > clean.
> >> >
> >> > ------------------------------------------
> >> >------------------------------------
> >> >
> >> > > > SOLARIS 10 is the OS for Data Centers
> >> > > > - provides features such as
> >> >
> >> > DTrace,
> >> >
> >> > > > Predictive Self Healing and Award
> >> > > > Winning ZFS. Get Solaris 10 NOW
> >> > > > http://p.sf.net/sfu/solaris-dev2dev
> >> > > > ______________________________________
> >> > > >_________ mod-security-users mailing
> >> > > > list
> >> > > > mod...@li...urceforge.n
> >> > > >et
> >> > > > https://lists.sourceforge.net/lists/li
> >> > > >stinfo/mod-security-users Commercial
> >> > > > ModSecurity Appliances, Rule Sets and
> >> > > > Support:
> >> > > > http://www.modsecurity.org/breach/inde
> >> > > >x.html
> >> > >
> >> > > --
> >> > > This message has been scanned for
> >> > > viruses and dangerous content by
> >> > > MailScanner, and is believed to be
> >> > > clean.
> >> >
> >> > --
> >> > Dimitri Yioulos, CIO
> >> > First 1 Financial Corporation
> >> > 600 Cordwainer Dr.
> >> > Norwell, MA 02061
> >> >
> >> > 781-871-4220 x1007
> >> > dyi...@fi...
> >> >
> >> >
> >> > --
> >> > This message has been scanned for viruses
> >> > and dangerous content by MailScanner, and
> >> > is believed to be clean.
> >> >
> >> >
> >> >
> >> > ------------------------------------------
> >> >------------------------------------
> >> > SOLARIS 10 is the OS for Data Centers -
> >> > provides features such as DTrace,
> >> > Predictive Self Healing and Award Winning
> >> > ZFS. Get Solaris 10 NOW
> >> > http://p.sf.net/sfu/solaris-dev2dev
> >> > __________________________________________
> >> >_____ mod-security-users mailing list
> >> > mod...@li...
> >> > https://lists.sourceforge.net/lists/listin
> >> >fo/mod-security-users Commercial
> >> > ModSecurity Appliances, Rule Sets and
> >> > Support:
> >> > http://www.modsecurity.org/breach/index.ht
> >> >ml
> >>
> >> --
> >> This message has been scanned for viruses
> >> and dangerous content by MailScanner, and is
> >> believed to be clean.
> >
> > --
> > Dimitri Yioulos, CIO
> > First 1 Financial Corporation
> > 600 Cordwainer Dr.
> > Norwell, MA 02061
> >
> > 781-871-4220 x1007
> > dyi...@fi...
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> > ---------------------------------------------
> >--------------------------------- SOLARIS 10
> > is the OS for Data Centers - provides
> > features such as DTrace, Predictive Self
> > Healing and Award Winning ZFS. Get Solaris 10
> > NOW http://p.sf.net/sfu/solaris-dev2dev
> > _____________________________________________
> >__ mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/
> >mod-security-users Commercial ModSecurity
> > Appliances, Rule Sets and Support:
> > http://www.modsecurity.org/breach/index.html
>
> --
> Ivan Ristic
> ModSecurity Handbook
> [https://www.feistyduck.com] SSL Labs
> [https://www.ssllabs.com/ssldb/]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
|