Thread: [mod-security-users] Does SecDebugLog or SecAuditLog support rotatelogs?
Brought to you by:
victorhora,
zimmerletw
From: Carmella S. <cs...@ii...> - 2012-08-23 00:51:30
|
For our regular apache error log, in httpd.conf we have: ErrorLog "|/apache242/bin/rotatelogs /httpd/logs/error_log.%Y-%m-%d 1M" and we get logs like this: -rw-rw-r-- 1 iii iii 215655573 Aug 20 16:59 error_log.2012-08-20 -rw-rw-r-- 1 iii iii 188482769 Aug 21 14:59 error_log.2012-08-21 -rw-rw-r-- 1 iii iii 72593320 Aug 22 16:41 error_log.2012-08-22 I've tried to implement something similar for SecDebugLog and SecAuditLog, but the use of rotatelogs here appears to be not supported. Has anybody already worked out a solution to get one log file per day, without restarting apache? Many thanks for any thoughts/ideas/suggestions you may have. |
From: Christian B. <ch...@jw...> - 2012-08-23 06:41:07
|
Hi Carmella, I cannot speak for SecDebugLog (though I assume it should work as well), but for the SecAuditLog - if your audit-log type is set to "Serial", then you can use the pipe '|' character to make Apache pipe those logs to any place you'd like. Some time ago I've experimented with is to use net-cat to send audit-logs via TCP-stream to the AuditConsole: SecAuditLogType Serial SecAuditLog "|/bin/nc 192.168.10.152 9001" This is way a lot faster than mlogc, but does not support local spooling, i.e. if the remote end is down, then data is lost. Another option I experimented with (which seems to work fine) is to send AuditLog data to syslog and then use remote-syslog to transport that data to a remote machine (as an alternative to mlogc, for instance). SecAuditLogType Serial SecAuditLog "|/bin/logger -t ModSecurity -p local7.debug" This switches audit-logging to serial logging and hands over each line of the logs to the syslog daemon, marking it with tag "ModSecurity" and settings its priority to "local7.debug". In your syslog.conf you can now filter for that local7.debug /var/log/modsecurity-audit.log and have the logs rotated similar to all the other The exact syslog-configuration needs to be adjusted based on your local syslog implementation (rsyslogd, syslog-ng,...). Chris Am 23.08.2012 um 01:49 schrieb "Carmella Smith" <cs...@ii...>: > For our regular apache error log, in httpd.conf we have: > ErrorLog "|/apache242/bin/rotatelogs /httpd/logs/error_log.%Y-%m-%d 1M" > and we get logs like this: > -rw-rw-r-- 1 iii iii 215655573 Aug 20 16:59 error_log.2012-08-20 > -rw-rw-r-- 1 iii iii 188482769 Aug 21 14:59 error_log.2012-08-21 > -rw-rw-r-- 1 iii iii 72593320 Aug 22 16:41 error_log.2012-08-22 > I've tried to implement something similar for SecDebugLog and SecAuditLog, but the use of rotatelogs here appears to be not supported. Has anybody already worked out a solution to get one log file per day, without restarting apache? Many thanks for any thoughts/ideas/suggestions you may have. > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |