Many thanks to Christian Bockermann for his report that he has successfully used a pipe in the value for SecAuditLog.
My rotatelogs sample below works fine in SecAuditLog. I find, however, that SecDebugLog does not support using the pipe. Is there a particular reason for this, or did it just not get implemented yet? Perhaps nobody really needs this, but we’re just starting with modsecurity, and wish to capture more info than would be reasonable for experts.
I have taken a copy of the cmd_audit_log routine from ./modsecurity-apache_2.6.5/apache2/apache2_config.c, done a search and replace of “audit” to “debug” and pasted it back in as the new cmd_debug_log routine, and it seems to be working to allow the pipe and give logs in the same format as our other ones.
From: Carmella Smith
Sent: Wednesday, August 22, 2012 4:49 PM
Subject: Does SecDebugLog or SecAuditLog support rotatelogs?
For our regular apache error log, in httpd.conf we have:
ErrorLog "|/apache242/bin/rotatelogs /httpd/logs/error_log.%Y-%m-%d 1M"
and we get logs like this:
-rw-rw-r-- 1 iii iii 215655573 Aug 20 16:59 error_log.2012-08-20
-rw-rw-r-- 1 iii iii 188482769 Aug 21 14:59 error_log.2012-08-21
-rw-rw-r-- 1 iii iii 72593320 Aug 22 16:41 error_log.2012-08-22
I've tried to implement something similar for SecDebugLog and SecAuditLog, but the use of rotatelogs here appears to be not supported. Has anybody already worked out a solution to get one log file per day, without restarting apache? Many thanks for any thoughts/ideas/suggestions you may have.