Re: [mod-security-users] System load after turning on Modsecurity
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2009-08-12 18:52:01
|
Michael Warchut wrote: > I have installed modsecurity on my companies site. When I put it in > DetectionOnly mode the system load on the servers go from .43 to like > 20+. Does this mean that I have something configured wrong or do I need > more powerful servers to make it all work? I have 2 virtualhosts and > rather than setting it up globally I have it setup in each virtual host. > So it launches 2 mlogc daemons. Could this be part of the problem? > > Thanks > > Michael You may be getting many false positives and it is auditig heavily. Is it writing heavily to disk (error_log, auditlog or debug log)? Turn off the debug log (SecDebugLogLevel 0) and the audit engine (SecAuditEngine Off) and see if that makes a difference. Are you saying that it is normally fine (SecEngine On), but not in DetectionOnly? DetectionOnly may end up doing more work as it will not stop after hitting a rule (it runs all rules no matter what as they are all essentially turned into a "pass"). Which rule set are you using? You may want to trim down your rules and start enabling them slowly to figure out when it starts performing poorly. -B -- Brian Rectanus Breach Security |