|
From: seema d. <see...@gm...> - 2012-08-23 17:49:41
|
Hi, Is this a known issue ? Let me explain the scenario little more. If we use the below configuration (without SecAuditLogStorageDir) ... -- -- -- -- -- SecRuleEngine On SecAuditEngine On SecAuditLogType concurrent SecAuditLog ./audit.log SecAuditLogParts ABCFHZ -- -- -- -- -- when the server starts up, it creates "audit.log" file relative to the server's config directory ( <config dir>/audit.log ). And when ModSecurity processes the request, logs the msg in the concurrent log file created relative to server's config directory ( e.g. <config dir>/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0) and that file's info get logged in the audit.log file. So we do see some entries in audit.log and the concurrent log. If we change AuditLog's location to some absolute path like /tmp/audit.log, then audit.log is created in the /tmp dir and concurrent logs are also created in /tmp dir ( /tmp/20120823/20120823-0601/20120823-060111-fNOoe110000000000,0). Issue is when we specify just the filename for SecAuditLog. -- -- -- -- -- SecRuleEngine On SecAuditEngine On SecAuditLogType concurrent SecAuditLog audit.log SecAuditLogParts ABCFHZ -- -- -- -- -- At server startup, audit.log file gets created in the server's config directory ( <config dir>/audit.log ) . During request processing when ModSecurity tries to create the concurrent log file it tries to create <config dir>/audit.log/<date>/.. dirs but fails as audit.log already exists and is a file. Change in file_dirname() of msc_util.c to return "." when filename doesn't have "/" or "\" fixed the issue. Please let us know if it is the right fix. Thanks, Seema. On Tue, Aug 7, 2012 at 9:31 AM, Parthasarathi Kundu < par...@ya...> wrote: > If the rule file contains SecAuditLog and provides the file name and > there is no SecAuditLogStorageDir( it is not mandatory) , it creates > audit.log as the directory instead of creating that as the index file. > > SecRuleEngine On > SecAuditEngine On > SecAuditLogType concurrent > SecAuditLog audit.log > SecAuditLogParts ABCFHZ > > > The behaviour is different when SecAuditLog ./audit.log. > > The issue is with file_dirname(msr->mp, "audit.log")function. it returns > "audit.log", where as > file_dirname(msr->mp, "./audit.log" ) correctly returns "." as the > directory. > > Should not it return "." even on file_dirname(msr->mp, "audit.log") ? > > Thanks > Partha > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
