[mod-security-users] mlogc problems
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] mlogc problems
|
From: Sion P. <sio...@po...> - 2009-10-30 14:17:01
|
Hi all, We've been running ModSecurity 2.5.9 on a Slackware 12.2 platform with Apache 2.2.11 (which we build ourselves). We haven't been using the ModSecurity console or mlogc to date, but thought we might have a look at it. mlogc builds ok on the platform, and we've configured the audit logs, Console and mlogc.conf as in the documentation that's available. I can see log data is written to the audit log directory structure from mod_security. However, mlogc doesn't seem to do anything. You can see it's process in the process list, but all it does is write the following to the mlogc-error.log, (even though I've turned the debugging to 5): [Fri Oct 30 11:24:33 2009] [3] [2411/0] ModSecurity Audit Log Collector 2.5.9 delaying startup for 1000ms [Fri Oct 30 11:24:34 2009] [3] [2411/0] ModSecurity Audit Log Collector 2.5.9 started. Nothing else... Logs mlogc-queue.log and mlogc-transaction.log are not being created, and even if I do create them, they remain empty. Any ideas, anyone??? For info, contents of mlogc.conf ########################################################################## # Required configuration # At a minimum, the items in this section will need to be adjusted to # fit your environment. The remaining options are optional. ########################################################################## # Points to the root of the installation. All relative # paths will be resolved with the help of this path. #CollectorRoot "/var/log/mlogc" CollectorRoot "/usr/local/apache2/logs/modsec_audit" # ModSecurity Console receiving URI. You can change the host # and the port parts but leave everything else as is. ConsoleURI "https://******.powys.gov.uk:8888/rpc/auditLogReceiver" ### I've manually changed this in this message... ### # Sensor credentials SensorUsername "wcms1" SensorPassword "*******" ### I've manually changed this in this message... ### # Base directory where the audit logs are stored. This can be specified # as a path relative to the CollectorRoot, or a full path. LogStorageDir "data" # Transaction log will contain the information on all log collector # activities that happen between checkpoints. The transaction log # is used to recover data in case of a crash (or if Apache kills # the process). TransactionLog "mlogc-transaction.log" # The file where the pending audit log entry data is kept. This file # is updated on every checkpoint. QueuePath "mlogc-queue.log" # The location of the error log. ErrorLog "mlogc-error.log" # The location of the lock file. LockFile "mlogc.lck" # Keep audit log entries after sending? (0=false 1=true) # NOTE: This is required to be set in SecAuditLog mlogc config if you # are going to use a secondary console via SecAuditLog2. KeepEntries 0 ########################################################################## # Optional configuration ########################################################################## # The error log level controls how much detail there # will be in the error log. The levels are as follows: # 0 - NONE # 1 - ERROR # 2 - WARNING # 3 - NOTICE # 4 - DEBUG # 5 - DEBUG2 # #ErrorLogLevel 3 ErrorLogLevel 5 # How many concurrent connections to the server # are we allowed to open at the same time? Log collector uses # multiple connections in order to speed up audit log transfer. # This is especially needed when the communication takes place # over a slow link (e.g. not over a LAN). MaxConnections 10 # The time each connection will sit idle before being reused, # in milliseconds. Increase if you don't want ModSecurity Console # to be hit with too many log collector requests. TransactionDelay 50 # The time to wait before initialization on startup in milliseconds. # Increase if mlogc is starting faster then termination when the # sensor is reloaded. StartupDelay 1000 # How often is the pending audit log entry data going to be written # to a file. The default is 15 seconds. CheckpointInterval 15 # If the server fails all threads will back down until the # problem is sorted. The management thread will periodically # launch a thread to test the server. The default is to test # once in 60 seconds. ServerErrorTimeout 60 # The following two parameters are not used yet, but # reserved for future expansion. # KeepAlive 150 # KeepAliveTimeout 300 Snip of logging parts of modsecurity_crs_10_config.conf: ... # Use ReleventOnly auditing SecAuditEngine RelevantOnly # Must use concurrent logging SecAuditLogType Concurrent # Send all audit log parts SecAuditLogParts ABIDEFGHZ # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf SecAuditLogStorageDir /usr/local/apache2/logs/modsec_audit/data # Pipe audit log to mlogc with your configuration SecAuditLog "|/usr/local/modsecurity/mlogc /usr/local/modsecurity/mlogc.conf" ... Any help would be greatly appreciated. Regards, -- Sion Pennant Arewinydd Tîm Datblygu'r We Web Development Team Leader ----------------------------------------- Cyngor Sir Powys County Council www.powys.gov.uk Mae'r e bost hwn ac unrhyw atodiad iddo yn gyfrinachol ac fe'i bwriedir ar gyfer y sawl a enwir arno yn unig. Gall gynnwys gwybodaeth freintiedig. Os yw wedi eich cyrraedd trwy gamgymeriad ni ellwch ei gopio, ei ddosbarthu na'i ddangos i unrhyw un arall a dylech gysylltu gyda Cyngor Sir Powys ar unwaith. Mae unrhyw gynnwys nad yw'n ymwneud gyda busnes swyddogol Cyngor Sir Powys yn bersonol i'r awdur ac nid yw'n awdurdodedig gan y Cyngor. This e mail and any attachments are confidential and intended for the named recipient only. The content may contain privileged information. If it has reached you by mistake, you should not copy, distribute or show the content to anyone but should contact Powys County Council at once. Any content that is not pertinent to Powys County Council business is personal to the author, and is not necessarily the view of the Council. |
