[mod-security-users] Audit log keeps disappearing
Brought to you by:
victorhora,
zimmerletw
From: Danny S. <dsh...@al...> - 2007-11-29 18:34:07
|
I have a strange problem with my mod security implementation. When I login to my server I usually see either an empty audit log or a severely diminished one. For example, it is currently only about 4k and the entries are an hour old at the most. Often I login and it is 0 bytes. If I manually force a hit, I can see it written to the audit log. Also, I notice modsecurity stuff is being written to the error_log for apache. Here are some details: Apache 2.2.6 Modsec 2.1.3 Apache uptime 23hrs SecRuleEngine On SecDefaultAction "log,deny,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log SecDebugLog logs/modsec_debug_log SecDebugLogLevel 0 SecDefaultAction "phase:2,deny,log,status:406" SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow Include "/usr/local/apache/conf/modsec2.user.conf" SecDefaultAction "log,deny,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" Sample rule SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click |wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/ma in|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'" SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain SecRule ARGS "(ht|f)tps?:/" SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click |wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/ma in|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'" SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" |