Re: [mod-security-users] Log file rotation audit_log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Log file rotation audit_log
|
From: William S. <wsa...@gm...> - 2007-11-27 03:44:58
|
John, and all, I myself have had a pretty good go in managing daily/hourly rotation for Apache and Mod_Sec concurrent index logs using 'cronolog' as a logging filter. Check out http://cronolog.org/ Here are short cuts to replacing your respective Log directives for use with cronolog. : httpd.conf ErrorLog "|/usr/sbin/cronolog --symlink=/path/to/error_log.current /path/to/error_log-%Y%m%d" CustomLog "|/usr/sbin/cronolog --symlink=/path/to/access_log.current /path/to/access_log-%Y%m%d" combined : mod_security2.conf SecAuditLog "|/usr/sbin/cronolog --symlink=/path/to/audit_modsec.log /path/to/audit_modsec-%Y%m%d.log" * The above will give you daily logs in the following filename formats: /path/to/access_log-20071124 /path/to/access_log-20071125 /path/to/access_log-20071126 /path/to/error_log-20071124 /path/to/error_log-20071125 /path/to/error_log-20071126 /path/to/audit_modsec-20071124.log /path/to/audit_modsec-20071125.log /path/to/audit_modsec-20071126.log It's up to you to compress them after the fact if you want. W On Nov 26, 2007 7:43 PM, John covici <co...@cc...> wrote: > No, I just rotate them on a weekly basis which works out for me pretty > well. For instance when I was doing concurrent logging, it was about > 300mb per day which is much more than the apache logs ever were. > > on Monday 11/26/2007 Ryan Barnett(Rya...@Br...) wrote > > You first need to address how you are managing Apache logs. Are you > > only rotating them on a time basis or are you monitoring disk space as > > well (hopefully). If it is the later, then you can just update > whatever > > log rotation script you are using to include the directory where > > ModSecurity is logging its Concurrent logs. > > > > -- > > Ryan C. Barnett > > ModSecurity Community Manager > > Breach Security: Director of Training > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > > > > -----Original Message----- > > > From: John covici [mailto:co...@cc...] > > > Sent: Monday, November 26, 2007 6:13 PM > > > To: Ryan Barnett > > > Cc: ici...@ya...; mod...@li... > > > Subject: Re: [mod-security-users] Log file rotation audit_log > > > > > > How would you manage concurrent logs so they would not take up your > > > whole disk -- and if you have the E qualifier that sure increases the > > > space quite a bit. > > > > > > on Monday 11/26/2007 Ryan Barnett(Rya...@Br...) wrote > > > > What specific issue are you dealing with? How are you handling > the > > > > normal Apache log rotation scenarios? You should be able to > handle > > > > ModSecurity logs in a similar manner. Are you using Concurrent > > audit > > > > logging format or Serial? > > > > > > > > -- > > > > Ryan C. Barnett > > > > ModSecurity Community Manager > > > > Breach Security: Director of Training > > > > Web Application Security Consortium (WASC) Member > > > > CIS Apache Benchmark Project Lead > > > > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > > Author: Preventing Web Attacks with Apache > > > > > > > > > -----Original Message----- > > > > > From: mod...@li... > > [mailto:mod- > > > > > sec...@li...] On Behalf Of > > > > > ici...@ya... > > > > > Sent: Monday, November 26, 2007 5:34 PM > > > > > To: mod...@li... > > > > > Subject: [mod-security-users] Log file rotation audit_log > > > > > > > > > > Hi, > > > > > > > > > > The problem we have is growing audit log files. I was > > > > > going through the mod_security documentation looking > > > > > for possible audit log rotation statement but I > > > > > couldn't find one. Can someone tell me is it possible > > > > > to rotate the audit log files from within mod_security > > > > > od httpd config file (like with access logs) and how? > > > > > I would really appreciate any help or suggestion > > > > > regarding this issue. > > > > > > > > > > Thanks, > > > > > > > > > > Igor > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________________________________________________ > > > > __ > > > > > __________ > > > > > Be a better pen pal. > > > > > Text or chat with friends inside Yahoo! Mail. See how. > > > > > http://overview.mail.yahoo.com/ > > > > > > > > > > > > > > > > ----------------------------------------------------------------------- > > > - > > > > - > > > > > This SF.net email is sponsored by: Microsoft > > > > > Defy all challenges. Microsoft(R) Visual Studio 2005. > > > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > ----------------------------------------------------------------------- > > > -- > > > > This SF.net email is sponsored by: Microsoft > > > > Defy all challenges. Microsoft(R) Visual Studio 2005. > > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > -- > > > Your life is like a penny. You're going to lose it. The question > is: > > > How do > > > you spend it? > > > > > > John Covici > > > co...@cc... > > -- > Your life is like a penny. You're going to lose it. The question is: > How do > you spend it? > > John Covici > co...@cc... > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
