Re: [mod-security-users] problem with bns.branch.cm
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] problem with bns.branch.cm
|
From: diego s. <die...@gm...> - 2010-09-07 15:14:42
|
Well i dont make run mlog, however here is my steps to steps. because i don´t know. mlogc : make install mlogc. i think that my error is in installation the mlogc, i open mloc-src in folder modesecurity and make a compile make anda make install, and then i copy that mlogc in /usr/local/bin/mlogc with -rwxrwxrwx 1 root root 46677 sep 3 11:39 mlogc my modsecurity_crs_10_config.conf SecRuleEngine On # SecDebugLog /etc/modsecurity2/logs/modsec_debug.log SecAuditLog /etc/modsecurity2/logs/modsec_audit.log # Turn the filtering engine On or Off SecRuleEngine On # Make sure that URL encoding is valid # SecRuleCheckURLEncoding On # Unicode encoding check #SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range # SecFilterForceByteRange 0 255 # Only log suspicious requests SecAuditEngine RelevantOnly # Debug level set to a minimum # SecFilterDebugLog logs/modsec_debug_log # SecFilterDebugLevel 0 # Should mod_security inspect POST payloads # SecFilterScanPOST On # By default log and deny suspicious requests # with HTTP status 500 # SecFilterDefaultAction "deny,log,status:500" # Use ReleventOnly auditing SecAuditEngine RelevantOnly # Must use concurrent logging SecAuditLogType Concurrent # Send all audit log parts SecAuditLogParts ABIDEFGHZ # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf SecAuditLogStorageDir /var/log/mlogc/data # Pipe audit log to mlogc with your configuration SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf" ************************************************************** my mlog.conf (-rwxrwxrwx 1 root root 3542 sep 3 11:44 mlogc.conf) # Points to the root of the installation. All relative # paths will be resolved with the help of this path. CollectorRoot "/var/log/mlogc" # ModSecurity Console receiving URI. You can change the host # and the port parts but leave everything else as is. ConsoleURI "https://xxx.xx.x.xx:8888/rpc/auditLogReceiver" # Sensor credentials SensorUsername "xxxxx" SensorPassword "xxxxx" # Base directory where the audit logs are stored. This can be specified # as a path relative to the CollectorRoot, or a full path. LogStorageDir "data" # Transaction log will contain the information on all log collector # activities that happen between checkpoints. The transaction log # is used to recover data in case of a crash (or if Apache kills # the process). TransactionLog "mlogc-transaction.log" # The file where the pending audit log entry data is kept. This file # is updated on every checkpoint. QueuePath "mlogc-queue.log" # The location of the error log. ErrorLog "mlogc-error.log" # The location of the lock file. LockFile "mlogc.lck" # Keep audit log entries after sending? (0=false 1=true) # NOTE: This is required to be set in SecAuditLog mlogc config if you # are going to use a secondary console via SecAuditLog2. KeepEntries 0 ########################################################################## # Optional configuration ########################################################################## # The error log level controls how much detail there # will be in the error log. The levels are as follows: # 0 - NONE # 1 - ERROR # 2 - WARNING # 3 - NOTICE # 4 - DEBUG # 5 - DEBUG2 # ErrorLogLevel 3 # How many concurrent connections to the server # are we allowed to open at the same time? Log collector uses # multiple connections in order to speed up audit log transfer. # This is especially needed when the communication takes place # over a slow link (e.g. not over a LAN). MaxConnections 10 # How many requests a worker will process before recycling itself. # This is to help prevent problems due to any memory leaks that may # exists. If this is set to 0, then no maximum is imposed. The default # is 1000 requests per worker (the number of workers is controlled by the # MaxConnections limit). MaxWorkerRequests 1000 # The time each connection will sit idle before being reused, # in milliseconds. Increase if you don't want ModSecurity Console # to be hit with too many log collector requests. TransactionDelay 50 # The time to wait before initialization on startup in milliseconds. # Increase if mlogc is starting faster then termination when the # sensor is reloaded. StartupDelay 5000 # How often is the pending audit log entry data going to be written # to a file. The default is 15 seconds. CheckpointInterval 15 # If the server fails all threads will back down until the # problem is sorted. The management thread will periodically # launch a thread to test the server. The default is to test # once in 60 seconds. ServerErrorTimeout 60 # The following two parameters are not used yet, but # reserved for future expansion. # KeepAlive 150 # KeepAliveTimeout 300 ****************************************** that not working ConsoleURI "https://xxx.xx.x.xx:8888/rpc/auditLogReceiver" ************************************* my executable mlogc: -rwxrwxrwx 1 root root 46677 sep 3 11:39 /usr/local/bin/mlogc **************************************************** state my log is the following -> mlogc-error.log [Tue Sep 07 10:27:57 2010] [3] [3247/0] Caught SIGTERM, shutting down. [Tue Sep 07 10:27:57 2010] [3] [3247/0] ModSecurity Audit Log Collector 2.5.12 terminating normally. [Tue Sep 07 10:28:12 2010] [2] [2797/865c410] Flagging server as errored after failure to submit entry TIZTA38AAQEAAAsJAbAAAAAA (cURL code 7): couldn't connect to host [Tue Sep 07 10:29:18 2010] [2] [2797/865c410] Flagging server as errored after failure to submit entry TIZTBH8AAQEAAAsJAbEAAAAA (cURL code 7): couldn't connect to host [Tue Sep 07 10:30:23 2010] [2] [2797/865c410] Flagging server as errored after failure to submit entry TIZTBH8AAQEAAAsJAbEAAAAA (cURL code 7): couldn't connect to ******************** mlogc-transaction.log empty and mlogc-queue.log 1283871969 xxx.xx.x.xx xx.xx.x.xx - - [07/Sep/2010:10:28:12 --04-1800] "GET / HTTP/1.1" 200 56 "-" "-" TIZTA38AAQEAAAsJAbAAAAAA "-" /20100907/20100907-1028/20100907-102812-TIZTA38AAQEAAAsJAbAAAAAA 0 1987 md5:4cb43b2d16dcc3c049af7e36b8517c47 xx.xx.xx.xx xxx.xx.x.xx - - [07/Sep/2010:10:28:12 --04-1800] "GET /favicon.ico HTTP/1.1" 404 265 "-" "-" TIZTBH8AAQEAAAsJAbEAAAAA "-" /20100907/20100907-1028/20100907-102812-TIZTBH8AAQEAAAsJAbEAAAAA 0 1965 md5:6d407528cddeb94d0be018c05ea41d what else my error? 2010/9/7 diego subero <die...@gm...> > > > 2010/9/6 ll <ibe...@gm...> > > in my mlogc.conf ,there is >> CollectorRoot "/www/logs" >> it seem not this options in your mlogc.conf >> >> and you need to set something in the modsecurity_crs_10_config.conf >> like this >> SecAuditLogType Concurrent >> #SecAuditLog logs/modsec_audit.log >> SecAuditLog "|/usr/local/bin/mlogc /www/conf/mlogc.conf" >> SecAuditLogStorageDir logs/data >> >> 于 2010-9-4 3:51, diego subero 写道: >> >> I am using modsecurity version 2.5.12 on an apache version 2.2.14. When I >> access the apache server, the server logs are showing the activities but the >> logs in , and my console web no show me nothing >> >> >> Configuring ModSecurity Audit Log Collector 2.5.12. >> [Fri Sep 03 13:52:46 2010] [3] [2755/0] Delaying execution for 5000ms. >> [Fri Sep 03 13:52:50 2010] [3] [2746/0] Queue file not found. New one will >> be created. >> [Fri Sep 03 13:52:50 2010] [3] [2746/0] Caught SIGTERM, shutting down. >> [Fri Sep 03 13:52:50 2010] [3] [2746/0] ModSecurity Audit Log Collector >> 2.5.12 terminating normally. >> [Fri Sep 03 13:52:50 2010] [3] [2747/0] Queue file not found. New one will >> be created. >> [Fri Sep 03 13:52:50 2010] [3] [2747/0] Caught SIGTERM, shutting down. >> [Fri Sep 03 13:52:50 2010] [3] [2747/0] ModSecurity Audit Log Collector >> 2.5.12 terminating normally. >> [Fri Sep 03 13:52:51 2010] [3] [2749/0] Queue file not found. New one will >> be created. >> [Fri Sep 03 13:52:51 2010] [3] [2755/0] Queue file not found. New one will >> be created. >> >> and fow my website that site no allow enter with my name an password of my >> sensor >> >> https://myip:8888/rpc/auditLogReceiver >> >> no enter. >> >> my mlog.conf is the following >> >> # ModSecurity Console receiving URI. You can change the host >> # and the port parts but leave everything else as is. >> ConsoleURI "https://myip:8888/rpc/auditLogReceiver" >> >> # Sensor credentials >> SensorUsername "admin" >> SensorPassword "prueba" >> >> # Base directory where the audit logs are stored. This can be specified >> # as a path relative to the CollectorRoot, or a full path. >> LogStorageDir "data" >> >> # Transaction log will contain the information on all log collector >> # activities that happen between checkpoints. The transaction log >> # is used to recover data in case of a crash (or if Apache kills >> # the process). >> TransactionLog "mlogc-transaction.log" >> >> # The file where the pending audit log entry data is kept. This file >> # is updated on every checkpoint. >> QueuePath "mlogc-queue.log" >> >> # The location of the error log. >> ErrorLog "mlogc-error.log" >> >> # The location of the lock file. >> LockFile "mlogc.lck" >> >> # Keep audit log entries after sending? (0=false 1=true) >> # NOTE: This is required to be set in SecAuditLog mlogc config if you >> # are going to use a secondary console via SecAuditLog2. >> KeepEntries 0 >> >> >> ############################## >> ############################################ >> # Optional configuration >> ########################################################################## >> >> # The error log level controls how much detail there >> # will be in the error log. The levels are as follows: >> # 0 - NONE >> # 1 - ERROR >> # 2 - WARNING >> # 3 - NOTICE >> # 4 - DEBUG >> # 5 - DEBUG2 >> # >> ErrorLogLevel 3 >> >> # How many concurrent connections to the server >> # are we allowed to open at the same time? Log collector uses >> # multiple connections in order to speed up audit log transfer. >> # This is especially needed when the communication takes place >> # over a slow link (e.g. not over a LAN). >> MaxConnections 10 >> >> # How many requests a worker will process before recycling itself. >> # This is to help prevent problems due to any memory leaks that may >> # exists. If this is set to 0, then no maximum is imposed. The default >> # is 1000 requests per worker (the number of workers is controlled by the >> # MaxConnections limit). >> MaxWorkerRequests 1000 >> >> # The time each connection will sit idle before being reused, >> # in milliseconds. Increase if you don't want ModSecurity Console >> # to be hit with too many log collector requests. >> TransactionDelay 50 >> >> # The time to wait before initialization on startup in milliseconds. >> # Increase if mlogc is starting faster then termination when the >> # sensor is reloaded. >> StartupDelay 5000 >> >> # How often is the pending audit log entry data going to be written >> # to a file. The default is 15 seconds. >> CheckpointInterval 15 >> >> # If the server fails all threads will back down until the >> # problem is sorted. The management thread will periodically >> # launch a thread to test the server. The default is to test >> # once in 60 seconds. >> ServerErrorTimeout 60 >> >> # The following two parameters are not used yet, but >> # reserved for future expansion. >> # KeepAlive 150 >> # KeepAliveTimeout 300 >> >> >> 2010/9/2 ll <ibe...@gm...> >> >>> Are you looking for this: >>> >>> http://www.breach.com/resources/modsecurity/free-license.txt >>> >>> 于 2010-9-3 2:48, diego subero 写道: >>> >>> hi all,, i installed modsecurity console, but when i to testing my >>> community console, but the licence is invalid and the web site bsn,branch is >>> down? what is the solution? >>> >>> -- >>> Diego Subero >>> >>> ------------------------------ >>> >>> ------------------------------------------------------------------------------ >>> This SF.net Dev2Dev email is sponsored by: >>> >>> Show off your parallel programming skills. >>> Enter the Intel(R) Threading Challenge 2010.http://p.sf.net/sfu/intel-thread-sfd >>> >>> ------------------------------ >>> >>> _______________________________________________ >>> mod-security-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Appliances, Rule Sets and Support:http://www.modsecurity.org/breach/index.html >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net Dev2Dev email is sponsored by: >>> >>> Show off your parallel programming skills. >>> Enter the Intel(R) Threading Challenge 2010. >>> http://p.sf.net/sfu/intel-thread-sfd >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Appliances, Rule Sets and Support: >>> http://www.modsecurity.org/breach/index.html >>> >>> >> >> >> -- >> Diego Subero >> >> > > > -- > Diego Subero > -- Diego Subero |