Re: [mod-security-users] Modsecurity 2.1.2 -- nothing is getting logged
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iva...@gm...> - 2007-08-30 17:47:02
|
Here's what I would do: 1. Verify that the module is loaded by looking at the error log messages produced at Apache startup. 2. Then verify the configuration is taken into account by the web server. You can do this by purposefully introducing an error into the configuration. If Apache complains that means it's reading it. 3. Then enable the debug log on a higher level (e.g. 9). Execute one request and observe what is happening. This will tell you if ModSecurity is being used on the per-request basis. On 8/30/07, Lund, Holly <hol...@hq...> wrote: > > I am having the same problem > > My modsecurity.conf is the modsecurity_crs_10_config.conf and I tried > telneting with no logging resulting also I changed the > SecAuditEngine to On and still no logging > > Also the SecServerSignature directive isn't working > > Holly Lund > 301-903-1174 > > -----Original Message----- > From: mod...@li... > [mailto:mod...@li...] On Behalf Of > Ryan Barnett > Sent: Tuesday, August 28, 2007 1:57 PM > To: John MUDD; mod...@li... > Subject: Re: [mod-security-users] Modsecurity 2.1.2 -- nothing is > getting logged > > John, > If you are using the default Core Rules config file > (modsecurity_crs_10_config.conf) then take a look at the "Logging" > section that has this info - > > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^[45]" > > This means that the SecAuditEngine will ONLY log data to the audit_log > file if a transaction triggers a rule. Normal transactions will not be > logged. If you want to ensure that Mod is working appropriately and > will trigger a rule and it will be logged to the audit_log, simply > telnet to port 80 on the your web server and issue "HEAD / HTTP/1.0". > This will trigger some of the HTTP Compliance rules since it does not > include Host, User-Agent and Accept headers. You should be able to then > look in the audit_log for info. > > On other option would to simply set the SecAuditEngine to On as this > will log ever transaction regardless of whether or not it triggered any > rules. You will then need to restart and use your normal web browser to > access the site. It should then log the transactions to the audit_log. > > Let me know if you still run into problems. > > -- > Ryan C. Barnett > ModSecurity Community Manager > Breach Security: Director of Training > Web Application Security Consortium (WASC) Member CIS Apache Benchmark > Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache > > > > -----Original Message----- > > From: mod...@li... [mailto:mod- > > sec...@li...] On Behalf Of John MUDD > > Sent: Tuesday, August 28, 2007 1:35 PM > > To: mod...@li... > > Subject: [mod-security-users] Modsecurity 2.1.2 -- nothing is getting > > logged > > > > > > All -- > > > > I have a webserver running Apache 2.0.59, which is built locally from > > source. I am trying to upgrade to modsecurity 2.1.2 from > > 1.9.5 with apparently no demonstrable success. > > > > This webserver is running 64-bit SUSE Linux. > > > > Mod_unique_id.c is compiled statically into httpd and upon startup, > > there are no complaints from Apache. I've also checked the running > > Apache environment and unique ids are being created properly. > > > > I've built and installed libxml2-2.6.29 and fixed the modsecurity > > Makefile to pick up the correct header files. > > > > I am using the Core Rules included in modsecurity 2.1.2 with no > > modification. > > > > In my httpd.conf file, I have added the lines > > > > LoadFile /usr/local/lib/libxml2.so > > LoadModule security2_module modules/mod_security2.so > > > > <IfModule security2_module> > > Include conf/modsecurity/*.conf > > </IfModule> > > > > and copied modsecurity-apache_2.1.2/rules/*.conf into > > /usr/local/apache/conf/modsecurity, after creating that directory. > > > > Upon startup, I get the message "ModSecurity for Apache 2.1.2 > > configured" in my Apache logs. However, I see nothing in > > modsec_audit.log or modsec_debug.log. In fact, if I (re)move those > > files, they do not get created when Apache starts. > > With mod_security 1.9.5, the files are created upon startup. > > > > 2.1.2 looks like a nice improvement to 1.9 but until I can see some > > evidence--through logs or whatever--that the module is actually doing > > anything, I'm inclined to believe that it isn't working on my > > webserver. > > > > Are the Core Rules supposed to work out of the box or not? > > > > John > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > - > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a > browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > ------------------------------------------------------------------------ > - > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- Ivan Ristic |