Re: [Mod-security-developers] SecAuditLogType concurrent, SecAuditLog has file name "audit.log" cre
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] SecAuditLogType concurrent, SecAuditLog has file name "audit.log" creates directory audit.log
|
From: Breno S. <bre...@gm...> - 2012-08-23 18:04:59
|
Hello, Yes, looks like a possible fix. I just need to make some tests. Could you send a patch ? Thanks Breno On Thu, Aug 23, 2012 at 12:49 PM, seema deepak <see...@gm...>wrote: > Hi, > > Is this a known issue ? > > Let me explain the scenario little more. > > If we use the below configuration (without SecAuditLogStorageDir) ... > > -- -- -- -- -- > > SecRuleEngine On > SecAuditEngine On > SecAuditLogType concurrent > SecAuditLog ./audit.log > SecAuditLogParts ABCFHZ > -- -- -- -- -- > > when the server starts up, it creates "audit.log" file relative to the > server's config directory ( <config dir>/audit.log ). > And when ModSecurity processes the request, logs the msg in the concurrent > log file created relative to server's config directory ( e.g. <config > dir>/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0) and that > file's info get logged in the audit.log file. > So we do see some entries in audit.log and the concurrent log. > > If we change AuditLog's location to some absolute path like > /tmp/audit.log, > then audit.log is created in the /tmp dir and concurrent logs are also > created in /tmp dir ( > /tmp/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0). > > Issue is when we specify just the filename for SecAuditLog. > -- -- -- -- -- > > SecRuleEngine On > SecAuditEngine On > SecAuditLogType concurrent > SecAuditLog audit.log > SecAuditLogParts ABCFHZ > -- -- -- -- -- > > At server startup, audit.log file gets created in the server's config > directory ( <config dir>/audit.log ) . During request processing when > ModSecurity tries to create the concurrent log file it tries to create > <config dir>/audit.log/<date>/.. dirs but fails as audit.log already exists > and is a file. > > Change in file_dirname() of msc_util.c to return "." when filename doesn't > have "/" or "\" fixed the issue. > Please let us know if it is the right fix. > > Thanks, > Seema. > > > On Tue, Aug 7, 2012 at 9:31 AM, Parthasarathi Kundu < > par...@ya...> wrote: > >> If the rule file contains SecAuditLog and provides the file name and >> there is no SecAuditLogStorageDir( it is not mandatory) , it creates >> audit.log as the directory instead of creating that as the index file. >> >> SecRuleEngine On >> SecAuditEngine On >> SecAuditLogType concurrent >> SecAuditLog audit.log >> SecAuditLogParts ABCFHZ >> >> >> The behaviour is different when SecAuditLog ./audit.log. >> >> The issue is with file_dirname(msr->mp, "audit.log")function. it returns >> "audit.log", where as >> file_dirname(msr->mp, "./audit.log" ) correctly returns "." as the >> directory. >> >> Should not it return "." even on file_dirname(msr->mp, "audit.log") ? >> >> Thanks >> Partha >> >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |