Re: [mod-security-users] mlogc not sending to console
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2009-05-14 15:52:28
|
N C wrote: > --- On Wed, 5/13/09, N C<nc...@ya...> wrote: >> mlogc does not appear to be sending >> any entries to my console, although they do appear in >> /var/log/mlogc/data/. I've tried changing mlogc.conf's What versions of all the dependencies are you using during compile? Please send (privately if you wish) the generated Makefile in apache2/mlogc-src. Also send the apache2/config.log. What is the output from "apachectl -V"? Also, what does the process listing look like for httpd and mlogc? The mlogc processes should have a parent of a shell or an httpd and not of process 1. >> ErrorLogLevel from 3 to 5, but only the usual level 3 >> messages appear in mlogc-error.log. No other log files >> appear in /var/log/mlogc. Are you sure that mlogc is picking up the correct conf file? Often people are "sure", but it turns out some <IfDefine> or <IfModule> directives cause the wrong one to be used. Double check it - make sure the process listing has the correct command line you are expecting and/or put a syntax error in the conf file to make sure it fails. Do the mlogc-queue.log and mlogc-transaction.log contain data? If so, if you run mlogc from the commandline does it work? /opt/mlogc/bin/mlogc /opt/mlogc/etc/mlogc.conf Or better would be to add the -f from the command line: /opt/mlogc/bin/mlogc -f /opt/mlogc/etc/mlogc.conf >> >> I've tried changing mlogc.conf's ConsoleURI to point to an >> Apache server, and verified that mlogc is not contacting the >> URI. I am able to authenticate at the ConsoleURI with >> the SensorUsername and SensorPassword. > > I'm stumped as to why I can't get this working. Although it is not uncommon for people to have trouble with mlogc, none of the solutions I've seen in the archives appears to be my solution. Any assistance or ideas would be much appreciated. Thanks. > > This is my full mlogc.conf: > CollectorRoot "/var/log/mlogc" > ConsoleURI "https://w.x.y.z:8888/rpc/auditLogReceiver" > SensorUsername "foo" > SensorPassword "bar" > LogStorageDir "data" > TransactionLog "mlogc-transaction.log" > QueuePath "mlogc-queue.log" > ErrorLog "mlogc-error.log" > LockFile "mlogc.lck" > KeepEntries 0 > ErrorLogLevel 5 > MaxConnections 10 > TransactionDelay 50 > StartupDelay 1000 Try raising this to 2000. This is trying to prevent mlogc from doing anything on Apache's config phase. Apache essentially starts twice, once to configure, then again to process requests, so mlogc is actually started twice. By delaying the startup we are allowing the first mlogc (config run) to wait so that it is hopefully shutdown before processing starts (ie the second mlogc should be the only one processing). You need this value large enough so that the first mlogc shuts down before it does any processing. In my log output below, there are two mlogc startups, process 20035 and 20038. They should never be processing at the same time or they may be fighting each other. > CheckpointInterval 15 > ServerErrorTimeout 60 > > > As far as I can tell, these permissions/ownerships should be fine. > > /var/log: > drwxr-xr-x 3 httpd httpd 4096 May 13 23:04 mlogc/ > > mlogc/: > drwxr-x--- 3 httpd httpd 4096 May 13 23:04 data > -rw-r--r-- 1 root root 386 May 13 23:02 mlogc-error.log > > mlogc/data: > drwxr-x--- 3 httpd httpd 4096 May 13 23:04 20090513 > > mlogc/data/20090513: > drwxr-x--- 2 httpd httpd 4096 May 13 23:04 20090513-2304 > > mlogc/data/20090513/20090513-2304: > -rw-r----- 1 httpd httpd 14233 May 13 23:04 20090513-230407-SguKJ38AAAEAACVWU4QAAAAA They look fine, provided httpd is started as root and then running as httpd. > > > mlogc-error.log (pretty sparse, although logging level of 5 was set): > [Wed May 13 23:02:20 2009] [3] [9490/0] ModSecurity Audit Log Collector 2.5.9 delaying startup for 1000ms > [Wed May 13 23:02:21 2009] [3] [9496/0] ModSecurity Audit Log Collector 2.5.9 delaying startup for 1000ms > [Wed May 13 23:02:21 2009] [3] [9490/0] ModSecurity Audit Log Collector 2.5.9 started. > [Wed May 13 23:02:22 2009] [3] [9496/0] ModSecurity Audit Log Collector 2.5.9 started. You should see something like this: [Thu May 14 08:25:00 2009] [3] [20035/0] ModSecurity Audit Log Collector 2.5.9 delaying startup for 1000ms [Thu May 14 08:25:01 2009] [3] [20038/0] ModSecurity Audit Log Collector 2.5.9 delaying startup for 1000ms [Thu May 14 08:25:01 2009] [3] [20035/0] ModSecurity Audit Log Collector 2.5.9 started. [Thu May 14 08:25:01 2009] [4] [20035/0] Transaction initialization started. [Thu May 14 08:25:01 2009] [4] [20035/0] Transaction initialization completed. [Thu May 14 08:25:01 2009] [4] [20035/1cf21e0] Management thread: Starting. [Thu May 14 08:25:01 2009] [5] [20035/1cf21e0] Management thread: Processing [Thu May 14 08:25:01 2009] [5] [20035/1cf21e0] Management thread: Last checkpoint was 0 seconds ago. [Thu May 14 08:25:01 2009] [4] [20035/1cf2270] Signal thread: Starting. [Thu May 14 08:25:01 2009] [5] [20035/0] Internal state: [evnt "0"][curr "0"][next "0"][nbytes "65536"] [Thu May 14 08:25:01 2009] [4] [20035/0] Shutting down [Thu May 14 08:25:01 2009] [4] [20035/1cf21e0] Management thread: Waiting for worker threads to finish. [Thu May 14 08:25:01 2009] [4] [20035/1cf21e0] Management thread: Exiting. [Thu May 14 08:25:01 2009] [3] [20035/0] ModSecurity Audit Log Collector 2.5.9 terminating normally. [Thu May 14 08:25:02 2009] [3] [20038/0] ModSecurity Audit Log Collector 2.5.9 started. [Thu May 14 08:25:02 2009] [4] [20038/0] Transaction initialization started. [Thu May 14 08:25:02 2009] [4] [20038/0] Transaction initialization completed. [Thu May 14 08:25:02 2009] [4] [20038/2313270] Signal thread: Starting. [Thu May 14 08:25:02 2009] [4] [20038/23131e0] Management thread: Starting. [Thu May 14 08:25:02 2009] [5] [20038/23131e0] Management thread: Processing [Thu May 14 08:25:02 2009] [5] [20038/23131e0] Management thread: Last checkpoint was 0 seconds ago. [Thu May 14 08:25:02 2009] [5] [20038/0] Internal state: [evnt "0"][curr "0"][next "0"][nbytes "65536"] [Thu May 14 08:25:07 2009] [5] [20038/23131e0] Management thread: Processing [Thu May 14 08:25:07 2009] [5] [20038/23131e0] Management thread: Last checkpoint was 5 seconds ago. [Thu May 14 08:25:12 2009] [5] [20038/23131e0] Management thread: Processing [Thu May 14 08:25:12 2009] [5] [20038/23131e0] Management thread: Last checkpoint was 10 seconds ago. > > This is my full modsecurity_crs_10_config.conf: > SecRuleEngine On > SecRequestBodyAccess On > SecResponseBodyAccess On > SecResponseBodyMimeType (null) text/html text/plain text/xml > SecResponseBodyLimit 524288 > SecComponentSignature "core ruleset/1.6.1" > SecUploadDir /tmp > SecUploadKeepFiles Off > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4\d[^4])" > SecAuditLogType Concurrent > SecAuditLog "|/opt/mlogc/bin/mlogc /opt/mlogc/etc/mlogc.conf" > SecAuditLogStorageDir /var/log/mlogc/data > SecAuditLogParts "ABIDEFGHZ" > SecArgumentSeparator "&" > SecCookieFormat 0 > SecRequestBodyInMemoryLimit 131072 > SecDebugLog logs/modsec_debug.log > SecDebugLogLevel 3 Looks fine. See these issues as well: https://www.modsecurity.org/tracker/browse/MODSEC-20 https://www.modsecurity.org/tracker/browse/MODSEC-47 If any of these issues matches yours (to any degree), then please continue adding to the discussion there instead of the list. Note, that I am *very* interested in getting these problems with mlogc fixed, however, I have yet to be able to duplicate it on any of my systems. Any details you can give me to duplicate this, would be greatly appreciated. thanks, -B -- Brian Rectanus Breach Security |