Re: [mod-security-users] mlogc on IIS
Brought to you by:
victorhora,
zimmerletw
From: Ricardo F. <rfe...@ap...> - 2014-06-10 21:55:27
|
Hi, I'm trying to get time for more debugging, I think IIS is not accepting the pipe in conf file, even with bat file IIS returns an error about opening the file (don't know if security feature in IIS or some kind of limitation of modsecurity.dll). Best Regards, Ricardo Fernandes From: J. Tozo [mailto:jun...@gm...] Sent: Tuesday, June 10, 2014 10:52 PM To: mod...@li... Subject: Re: [mod-security-users] mlogc on IIS Hi Ricardo, thanks for your answer. This configuration file its a result of several tries to make it work. I was thinking in a way to only generate the logs in any format readable by mlogc and later call mlogc using task scheduler to send to my log console. Have you had any success in a workaround for this bug? On Tue, Jun 10, 2014 at 6:38 PM, Ricardo Fernandes <rfe...@ap...<mailto:rfe...@ap...>> wrote: Hello, I haven't found the answer yet, but i can tell you one thing wrong is that for SecAuditLogType you should use Concurrent not Serial. Modsec.conf http://pastebin.com/XNCwEitz I had already tried a lot of combinations and always the same error, I think this is a bug... mlog.conf http://pastebin.com/4GEuRhwn Best Regards, Ricardo Fernandes From: J. Tozo [mailto:jun...@gm...<mailto:jun...@gm...>] Sent: Tuesday, June 10, 2014 10:28 PM To: mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] mlogc on IIS Relevant information, im tryin to deploy it in a Windows 2008 server R2 within IIS 7.5. On Tue, Jun 10, 2014 at 6:24 PM, J. Tozo <jun...@gm...<mailto:jun...@gm...>> wrote: Hi, suffering from the same issue here, does anyone knows the right direction to point me? My configuration: (Full conf at http://pastebin.com/2tf9jeAW ) SecAuditLogType Serial SecAuditLog "| C:\Windows\System32\inetsrv\mlogc.exe C:\Windows\System32\inetsrv\mlogc.conf" Answer in the windows eventviewer: Syntax error in config file C:\Program Files\ModSecurity IIS\modsecurity.conf, line 26: ModSecurity: Failed to open the audit log pipe: C:\Windows\System32\inetsrv\mlogc.exe C:\Windows\System32\inetsrv\mlogc.conf If i execute the piped command directly in powershell the mlogc works as expected. from mlogc-error.log: [Tue Jun 10 18:14:03 2014] [3] [6200/0] Configuring ModSecurity Audit Log Collector 2.8.0. [Tue Jun 10 18:14:03 2014] [3] [6200/0] Delaying execution for 5000ms. [Tue Jun 10 18:14:08 2014] [3] [6200/0] Queue file not found. New one will be created. [Tue Jun 10 18:14:08 2014] [3] [6200/0] ModSecurity Audit Log Collector 2.8.0 terminating normally. I also noted that Serial logs arent being created correctly in the folder already set in modsecurity.conf SecAuditLogStorageDir "C:\inetpub\logs\audit" This directory has permissions which everyone can read write and execute. Im stuck, any help will be apreciated. -J On Wed, May 21, 2014 at 12:11 PM, Ryan Barnett <RBa...@tr...<mailto:RBa...@tr...>> wrote: Can you list your modsecurity conf data for the audit log directives? Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com> <http://www.trustwave.com/> On 5/21/14 8:51 AM, "Marcus Semblano" <mar...@lo...<mailto:mar...@lo...>> wrote: >Does anyone here uses ModSecurity on IIS? > >No answers at all!! >No proper documentation on IIS configuration regarding config files. > >Maybe it's better to file a bug report :/ > >Atenciosamente, > >Marcus Semblano > > > >________________________________________ >From: Ricardo Fernandes [rfe...@ap...<mailto:rfe...@ap...>] >Sent: Monday, May 19, 2014 11:21 AM >To: mod...@li...<mailto:mod...@li...> >Subject: [mod-security-users] mlogc on IIS > >Hello, > >I'm experiencing the same problem of this link: >http://sourceforge.net/p/mod-security/mailman/message/31780263/ > >I cannot send the events for remote console: > >Syntax error in config file C:\Program Files\ModSecurity >IIS\modsecurity.conf, line 195: ModSecurity: Failed to open the audit log >pipe: c:\inetpub\modsecurity\bin\mlog.bat > >IIS 8.5 (Windows Server 2012 R2) >The folder has all the permissions necessary > >Can not find anything in web out to configure correctly mlogc for iis... > >ModSecurity is running ok, only the part for sending for console is >failing. > >Best Regards, >Ricardo Fernandes > > > > > > >-------------------------------------------------------------------------- >---- >"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >Instantly run your Selenium tests across 300+ browser/OS combos. >Get unparalleled scalability from the best Selenium testing platform >available >Simple to use. Nothing to install. Get started now for free." >http://p.sf.net/sfu/SauceLabs >_______________________________________________ >mod-security-users mailing list >mod...@li...<mailto:mod...@li...> >https://lists.sourceforge.net/lists/listinfo/mod-security-users >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >http://www.modsecurity.org/projects/commercial/rules/ >http://www.modsecurity.org/projects/commercial/support/ > >-------------------------------------------------------------------------- >---- >"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >Instantly run your Selenium tests across 300+ browser/OS combos. >Get unparalleled scalability from the best Selenium testing platform >available >Simple to use. Nothing to install. Get started now for free." >http://p.sf.net/sfu/SauceLabs >_______________________________________________ >mod-security-users mailing list >mod...@li...<mailto:mod...@li...> >https://lists.sourceforge.net/lists/listinfo/mod-security-users >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >http://www.modsecurity.org/projects/commercial/rules/ >http://www.modsecurity.org/projects/commercial/support/ > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- Grato, Tozo -- Grato, Tozo ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- Grato, Tozo |