Thread: [mod-security-users] mlogc failing to submit audit entries to ModSecurity Console
Brought to you by:
victorhora,
zimmerletw
From: David S. L. <dav...@gm...> - 2007-11-06 19:01:11
|
Hi all I have the console working fine and also seems like mlogc is working as it should. The problem is the mloc-error.log file keeps stating "Flagging server as errored after failure to submit entry" The /etc/mlogc.conf file is point to http://127.0.0.1:8886 <http://127.0.0.1:8886/> and the sensor name and password are the same as what is in the console. Anyways I would love to use this tool but need to get past this one hurdle. Apache 2.2.6.1 Mod_security 2.1.3.1 (from FC6 Yum) Thanks David |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-11-06 19:50:24
|
David, What is your ConsoleURI setting in your mlogc.conf file? It should look something like this - =20 ConsoleURI "http://127.0.0.1:8886/rpc/auditLogReceiver" =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 --[ Upcoming Webcast - WASC Honeypot Update ]-- Wed, November 14th - 8:30 am, Pacific DT http://www.breach.com/resources/webinars.html =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of David S. Lee Sent: Tuesday, November 06, 2007 2:01 PM To: mod...@li... Subject: [mod-security-users] mlogc failing to submit audit entries toModSecurity Console =20 Hi all =20 I have the console working fine and also seems like mlogc is working as it should. The problem is the mloc-error.log file keeps stating "Flagging server as errored after failure to submit entry" =20 =20 The /etc/mlogc.conf file is point to http://127.0.0.1:8886 <http://127.0.0.1:8886/> and the sensor name and password are the same as what is in the console. =20 =20 Anyways I would love to use this tool but need to get past this one hurdle. =20 Apache 2.2.6.1 Mod_security 2.1.3.1 (from FC6 Yum) =20 =20 Thanks David |
From: David S. L. <dav...@gm...> - 2007-11-06 20:18:32
|
Ryan This is what I have ConsoleURI http://127.0.0.1:8886/rpc/auditLogReceiver Is there a setting on the Console server I need to change? I also used the modsec-auditlog-collector.pl and same issue. I get a 500 error status return. Any help would be great. I have been banging my head against. [Tue Nov 06 18:40:12 2007] [3] [5867/0] ModSecurity Audit Log Collector 1.4.2 terminating normally. [Tue Nov 06 18:40:13 2007] [3] [5871/0] ModSecurity Audit Log Collector 1.4.2 started. [Tue Nov 06 18:40:13 2007] [3] [5871/0] Loaded 35 entries from the queue file. [Tue Nov 06 18:40:13 2007] [2] [5871/768218] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:41:18 2007] [2] [5871/7f5850] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:42:23 2007] [2] [5871/7f58e0] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:43:28 2007] [2] [5871/7f5970] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:44:33 2007] [2] [5871/7f5a00] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:45:38 2007] [2] [5871/7f5a90] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:46:43 2007] [2] [5871/7f5b20] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:47:48 2007] [2] [5871/7f5bb0] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:48:53 2007] [2] [5871/7f5c40] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:49:58 2007] [2] [5871/7f5cd0] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:51:03 2007] [2] [5871/7f5d60] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:52:08 2007] [2] [5871/7f5df0] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:53:13 2007] [2] [5871/7f5e80] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:54:19 2007] [2] [5871/7f5f10] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:55:24 2007] [2] [5871/7f5fa0] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:56:29 2007] [2] [5871/7f6030] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:57:34 2007] [2] [5871/7f60c0] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:58:39 2007] [2] [5871/7f6150] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 18:59:44 2007] [2] [5871/7f61e0] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 19:00:49 2007] [2] [5871/7f6270] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 19:01:54 2007] [2] [5871/7f6300] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 19:02:59 2007] [2] [5871/7f6390] Flagging server as errored after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response code 500 [Tue Nov 06 19:03:17 2007] [3] [5871/0] Caught SIGTERM, shutting down. Kind regards David S. Lee _____ From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com] Sent: Tuesday, November 06, 2007 11:50 AM To: David S. Lee; mod...@li... Subject: RE: [mod-security-users] mlogc failing to submit audit entries toModSecurity Console David, What is your ConsoleURI setting in your mlogc.conf file? It should look something like this - ConsoleURI "http://127.0.0.1:8886/rpc/auditLogReceiver" -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache --[ Upcoming Webcast - WASC Honeypot Update ]-- Wed, November 14th - 8:30 am, Pacific DT http://www.breach.com/resources/webinars.html _____ From: mod...@li... [mailto:mod...@li...] On Behalf Of David S. Lee Sent: Tuesday, November 06, 2007 2:01 PM To: mod...@li... Subject: [mod-security-users] mlogc failing to submit audit entries toModSecurity Console Hi all I have the console working fine and also seems like mlogc is working as it should. The problem is the mloc-error.log file keeps stating "Flagging server as errored after failure to submit entry" The /etc/mlogc.conf file is point to http://127.0.0.1:8886 <http://127.0.0.1:8886/> and the sensor name and password are the same as what is in the console. Anyways I would love to use this tool but need to get past this one hurdle. Apache 2.2.6.1 Mod_security 2.1.3.1 (from FC6 Yum) Thanks David |
From: Chris W. <c.d...@re...> - 2007-11-06 21:13:24
|
Did you compile mlogc yourself? If so, are you using a 64-bit OS by any chance? We had problems on 64-bit Solaris and needed to change one of the libcurl options; see http://thread.gmane.org/gmane.comp.apache.mod-security.user/3746 Best Wishes, Chris David S. Lee wrote: > Ryan > > > > This is what I have > > > > ConsoleURI http://127.0.0.1:8886/rpc/auditLogReceiver > > > > Is there a setting on the Console server I need to change? I also used the > modsec-auditlog-collector.pl and same issue. I get a 500 error status > return. > > > > Any help would be great. I have been banging my head against. > > > > > > [Tue Nov 06 18:40:12 2007] [3] [5867/0] ModSecurity Audit Log Collector > 1.4.2 terminating normally. > > [Tue Nov 06 18:40:13 2007] [3] [5871/0] ModSecurity Audit Log Collector > 1.4.2 started. > > [Tue Nov 06 18:40:13 2007] [3] [5871/0] Loaded 35 entries from the queue > file. > > [Tue Nov 06 18:40:13 2007] [2] [5871/768218] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:41:18 2007] [2] [5871/7f5850] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:42:23 2007] [2] [5871/7f58e0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:43:28 2007] [2] [5871/7f5970] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:44:33 2007] [2] [5871/7f5a00] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:45:38 2007] [2] [5871/7f5a90] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:46:43 2007] [2] [5871/7f5b20] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:47:48 2007] [2] [5871/7f5bb0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:48:53 2007] [2] [5871/7f5c40] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:49:58 2007] [2] [5871/7f5cd0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:51:03 2007] [2] [5871/7f5d60] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:52:08 2007] [2] [5871/7f5df0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:53:13 2007] [2] [5871/7f5e80] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:54:19 2007] [2] [5871/7f5f10] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:55:24 2007] [2] [5871/7f5fa0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:56:29 2007] [2] [5871/7f6030] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:57:34 2007] [2] [5871/7f60c0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:58:39 2007] [2] [5871/7f6150] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:59:44 2007] [2] [5871/7f61e0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 19:00:49 2007] [2] [5871/7f6270] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 19:01:54 2007] [2] [5871/7f6300] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 19:02:59 2007] [2] [5871/7f6390] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 19:03:17 2007] [3] [5871/0] Caught SIGTERM, shutting down. > > > > > > Kind regards > > David S. Lee > > _____ > > From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com] > Sent: Tuesday, November 06, 2007 11:50 AM > To: David S. Lee; mod...@li... > Subject: RE: [mod-security-users] mlogc failing to submit audit entries > toModSecurity Console > > > > David, > > What is your ConsoleURI setting in your mlogc.conf file? It should look > something like this - > > > > ConsoleURI "http://127.0.0.1:8886/rpc/auditLogReceiver" > > > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d...@re... IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094 |
From: David S. L. <dav...@gm...> - 2007-11-06 21:17:54
|
Chris I read that post and commented out the CURL option and recompiled as I am on a 64 nit Fedora Core 6 machine. Thanks. That didn't fix it. Kind regards David S. Lee -----Original Message----- From: Chris Wakelin [mailto:c.d...@re...] Sent: Tuesday, November 06, 2007 1:13 PM To: David S. Lee Cc: mod...@li... Subject: Re: [mod-security-users] mlogc failing to submit audit entries toModSecurity Console Did you compile mlogc yourself? If so, are you using a 64-bit OS by any chance? We had problems on 64-bit Solaris and needed to change one of the libcurl options; see http://thread.gmane.org/gmane.comp.apache.mod-security.user/3746 Best Wishes, Chris David S. Lee wrote: > Ryan > > > > This is what I have > > > > ConsoleURI http://127.0.0.1:8886/rpc/auditLogReceiver > > > > Is there a setting on the Console server I need to change? I also used the > modsec-auditlog-collector.pl and same issue. I get a 500 error status > return. > > > > Any help would be great. I have been banging my head against. > > > > > > [Tue Nov 06 18:40:12 2007] [3] [5867/0] ModSecurity Audit Log Collector > 1.4.2 terminating normally. > > [Tue Nov 06 18:40:13 2007] [3] [5871/0] ModSecurity Audit Log Collector > 1.4.2 started. > > [Tue Nov 06 18:40:13 2007] [3] [5871/0] Loaded 35 entries from the queue > file. > > [Tue Nov 06 18:40:13 2007] [2] [5871/768218] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:41:18 2007] [2] [5871/7f5850] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:42:23 2007] [2] [5871/7f58e0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:43:28 2007] [2] [5871/7f5970] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:44:33 2007] [2] [5871/7f5a00] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:45:38 2007] [2] [5871/7f5a90] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:46:43 2007] [2] [5871/7f5b20] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:47:48 2007] [2] [5871/7f5bb0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:48:53 2007] [2] [5871/7f5c40] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:49:58 2007] [2] [5871/7f5cd0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:51:03 2007] [2] [5871/7f5d60] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:52:08 2007] [2] [5871/7f5df0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:53:13 2007] [2] [5871/7f5e80] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:54:19 2007] [2] [5871/7f5f10] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:55:24 2007] [2] [5871/7f5fa0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:56:29 2007] [2] [5871/7f6030] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:57:34 2007] [2] [5871/7f60c0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:58:39 2007] [2] [5871/7f6150] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 18:59:44 2007] [2] [5871/7f61e0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 19:00:49 2007] [2] [5871/7f6270] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 19:01:54 2007] [2] [5871/7f6300] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 19:02:59 2007] [2] [5871/7f6390] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP response > code 500 > > [Tue Nov 06 19:03:17 2007] [3] [5871/0] Caught SIGTERM, shutting down. > > > > > > Kind regards > > David S. Lee > > _____ > > From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com] > Sent: Tuesday, November 06, 2007 11:50 AM > To: David S. Lee; mod...@li... > Subject: RE: [mod-security-users] mlogc failing to submit audit entries > toModSecurity Console > > > > David, > > What is your ConsoleURI setting in your mlogc.conf file? It should look > something like this - > > > > ConsoleURI "http://127.0.0.1:8886/rpc/auditLogReceiver" > > > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d...@re... IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094 |
From: Brian R. <Bri...@br...> - 2007-11-06 21:22:33
|
David, Would you crank up the debug log level to 5 and send me the output? Thanks, -B David S. Lee wrote: > Ryan > > > > This is what I have > > > > ConsoleURI http://127.0.0.1:8886/rpc/auditLogReceiver > > > > Is there a setting on the Console server I need to change? I also used > the modsec-auditlog-collector.pl and same issue. I get a 500 error > status return. > > > > Any help would be great. I have been banging my head against. > > > > > > [Tue Nov 06 18:40:12 2007] [3] [5867/0] ModSecurity Audit Log Collector > 1.4.2 terminating normally. > > [Tue Nov 06 18:40:13 2007] [3] [5871/0] ModSecurity Audit Log Collector > 1.4.2 started. > > [Tue Nov 06 18:40:13 2007] [3] [5871/0] Loaded 35 entries from the queue > file. > > [Tue Nov 06 18:40:13 2007] [2] [5871/768218] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:41:18 2007] [2] [5871/7f5850] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:42:23 2007] [2] [5871/7f58e0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:43:28 2007] [2] [5871/7f5970] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:44:33 2007] [2] [5871/7f5a00] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:45:38 2007] [2] [5871/7f5a90] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:46:43 2007] [2] [5871/7f5b20] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:47:48 2007] [2] [5871/7f5bb0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:48:53 2007] [2] [5871/7f5c40] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:49:58 2007] [2] [5871/7f5cd0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:51:03 2007] [2] [5871/7f5d60] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:52:08 2007] [2] [5871/7f5df0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:53:13 2007] [2] [5871/7f5e80] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:54:19 2007] [2] [5871/7f5f10] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:55:24 2007] [2] [5871/7f5fa0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:56:29 2007] [2] [5871/7f6030] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:57:34 2007] [2] [5871/7f60c0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:58:39 2007] [2] [5871/7f6150] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:59:44 2007] [2] [5871/7f61e0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 19:00:49 2007] [2] [5871/7f6270] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 19:01:54 2007] [2] [5871/7f6300] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 19:02:59 2007] [2] [5871/7f6390] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 19:03:17 2007] [3] [5871/0] Caught SIGTERM, shutting down. > > > > > > Kind regards > > David S. Lee > > ------------------------------------------------------------------------ > > *From:* Ryan Barnett [mailto:Ryan.Barnett@Breach.com] > *Sent:* Tuesday, November 06, 2007 11:50 AM > *To:* David S. Lee; mod...@li... > *Subject:* RE: [mod-security-users] mlogc failing to submit audit > entries toModSecurity Console > > > > David, > > What is your ConsoleURI setting in your mlogc.conf file? It should look > something like this - > > > > ConsoleURI "http://127.0.0.1:8886/rpc/auditLogReceiver" > > > > -- > */Ryan C. Barnett > /*ModSecurity Community Manager > > Breach Security: Director of Training > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > > > --[ Upcoming Webcast - WASC Honeypot Update ]-- > > Wed, November 14th - 8:30 am, Pacific DT > > http://www.breach.com/resources/webinars.html > > > > ------------------------------------------------------------------------ > > *From:* mod...@li... > [mailto:mod...@li...] *On Behalf Of > *David S. Lee > *Sent:* Tuesday, November 06, 2007 2:01 PM > *To:* mod...@li... > *Subject:* [mod-security-users] mlogc failing to submit audit entries > toModSecurity Console > > > > Hi all > > > > I have the console working fine and also seems like mlogc is working as > it should. The problem is the mloc-error.log file keeps stating > “Flagging server as errored after failure to submit entry” > > > > The /etc/mlogc.conf file is point to http://127.0.0.1:8886 > <http://127.0.0.1:8886/> and the sensor name and password are the same > as what is in the console. > > > > Anyways I would love to use this tool but need to get past this one hurdle. > > > > Apache 2.2.6.1 > > Mod_security 2.1.3.1 (from FC6 Yum) > > > > > > Thanks > > David > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- Brian Rectanus Breach Security |
From: Brian R. <Bri...@br...> - 2007-11-07 01:01:26
|
To benefit the list, I'll repeat what I found after David sent more debugging (Thanks David!): It looks like the console license expired and was rejecting alerts from mlogc. >From the GUI, David appeared to be receiving: "The licence key is missing, invalid, or expired. Please configure a valid licence key to unlock the full functionality." >From the status code returned to mlogc from the console: HTTP/1.1 500 Invalid%2C+missing%2C+or+expired+licence%2E Only the status code is logged and the status message text should also be logged. This is a known issue and will be fixed in a future mlogc version. thanks again David, -B David S. Lee wrote: > Ryan > > > > This is what I have > > > > ConsoleURI http://127.0.0.1:8886/rpc/auditLogReceiver > > > > Is there a setting on the Console server I need to change? I also used > the modsec-auditlog-collector.pl and same issue. I get a 500 error > status return. > > > > Any help would be great. I have been banging my head against. > > > > > > [Tue Nov 06 18:40:12 2007] [3] [5867/0] ModSecurity Audit Log Collector > 1.4.2 terminating normally. > > [Tue Nov 06 18:40:13 2007] [3] [5871/0] ModSecurity Audit Log Collector > 1.4.2 started. > > [Tue Nov 06 18:40:13 2007] [3] [5871/0] Loaded 35 entries from the queue > file. > > [Tue Nov 06 18:40:13 2007] [2] [5871/768218] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:41:18 2007] [2] [5871/7f5850] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:42:23 2007] [2] [5871/7f58e0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:43:28 2007] [2] [5871/7f5970] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:44:33 2007] [2] [5871/7f5a00] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:45:38 2007] [2] [5871/7f5a90] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:46:43 2007] [2] [5871/7f5b20] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:47:48 2007] [2] [5871/7f5bb0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:48:53 2007] [2] [5871/7f5c40] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:49:58 2007] [2] [5871/7f5cd0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:51:03 2007] [2] [5871/7f5d60] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:52:08 2007] [2] [5871/7f5df0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:53:13 2007] [2] [5871/7f5e80] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:54:19 2007] [2] [5871/7f5f10] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:55:24 2007] [2] [5871/7f5fa0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:56:29 2007] [2] [5871/7f6030] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:57:34 2007] [2] [5871/7f60c0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:58:39 2007] [2] [5871/7f6150] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 18:59:44 2007] [2] [5871/7f61e0] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 19:00:49 2007] [2] [5871/7f6270] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 19:01:54 2007] [2] [5871/7f6300] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 19:02:59 2007] [2] [5871/7f6390] Flagging server as errored > after failure to submit entry ZX1yeX8AAAEAAGWTPJ8AAAAD with HTTP > response code 500 > > [Tue Nov 06 19:03:17 2007] [3] [5871/0] Caught SIGTERM, shutting down. > > > > > > Kind regards > > David S. Lee > > ------------------------------------------------------------------------ > > *From:* Ryan Barnett [mailto:Ryan.Barnett@Breach.com] > *Sent:* Tuesday, November 06, 2007 11:50 AM > *To:* David S. Lee; mod...@li... > *Subject:* RE: [mod-security-users] mlogc failing to submit audit > entries toModSecurity Console > > > > David, > > What is your ConsoleURI setting in your mlogc.conf file? It should look > something like this - > > > > ConsoleURI "http://127.0.0.1:8886/rpc/auditLogReceiver" > > > > -- > */Ryan C. Barnett > /*ModSecurity Community Manager > > Breach Security: Director of Training > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > > > --[ Upcoming Webcast - WASC Honeypot Update ]-- > > Wed, November 14th - 8:30 am, Pacific DT > > http://www.breach.com/resources/webinars.html > > > > ------------------------------------------------------------------------ > > *From:* mod...@li... > [mailto:mod...@li...] *On Behalf Of > *David S. Lee > *Sent:* Tuesday, November 06, 2007 2:01 PM > *To:* mod...@li... > *Subject:* [mod-security-users] mlogc failing to submit audit entries > toModSecurity Console > > > > Hi all > > > > I have the console working fine and also seems like mlogc is working as > it should. The problem is the mloc-error.log file keeps stating > “Flagging server as errored after failure to submit entry” > > > > The /etc/mlogc.conf file is point to http://127.0.0.1:8886 > <http://127.0.0.1:8886/> and the sensor name and password are the same > as what is in the console. > > > > Anyways I would love to use this tool but need to get past this one hurdle. > > > > Apache 2.2.6.1 > > Mod_security 2.1.3.1 (from FC6 Yum) > > > > > > Thanks > > David > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- Brian Rectanus Breach Security |
From: JBRAVO <jon...@gm...> - 2007-11-26 12:54:00
|
Hello, Dnia 06-11-2007, Wt o godzinie 17:01 -0800, Brian Rectanus pisze: > To benefit the list, I'll repeat what I found after David sent more > debugging (Thanks David!): > > It looks like the console license expired and was rejecting alerts from > mlogc. > Ok, i have same problem (SLES10; apache 2.2.3, mod_security 2.1.2; mlogc 1.4.2, mod_security console 1.0.2 rpm install; java sun 1.4.2). My free trial licence was generated at 18 October 2007. Is it time limited (i was unable to test it earlier)? I can not see such information. I have only one "test" sensor configured. -- JBRAVO |
From: Ivan R. <iva...@gm...> - 2007-11-26 13:59:07
|
May be a different problem. The licence embedded in the product expired some months ago, but the licences generated through the BSN never expire. On Nov 26, 2007 12:53 PM, JBRAVO <jon...@gm...> wrote: > Hello, > > Dnia 06-11-2007, Wt o godzinie 17:01 -0800, Brian Rectanus pisze: > > To benefit the list, I'll repeat what I found after David sent more > > debugging (Thanks David!): > > > > It looks like the console license expired and was rejecting alerts from > > mlogc. > > > > Ok, i have same problem (SLES10; apache 2.2.3, mod_security 2.1.2; mlogc > 1.4.2, mod_security console 1.0.2 rpm install; java sun 1.4.2). > > My free trial licence was generated at 18 October 2007. Is it time > limited (i was unable to test it earlier)? I can not see such > information. > > I have only one "test" sensor configured. > > -- > JBRAVO > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- Ivan Ristic |
From: .:JbRaVo:. <jon...@gm...> - 2007-11-26 15:01:15
|
Hello, Dnia 26-11-2007, Pn o godzinie 13:59 +0000, Ivan Ristic pisze: > May be a different problem. The licence embedded in the product > expired some months ago, but the licences generated through the BSN > never expire. Reinstalled with *tar.gz version - still same effect. And i still can see error saying that licence is missing at the top of console webgui. Should i initiate some kind of console database first? I've found these in /opt/modsecurity-console/var/logs/debug.log.0: 2007-11-26 15:50:00 org.springframework.jdbc.core.JdbcTemplate throwExceptionOnWarningIfNotIgnoringWarnings WARNING: SQLWarning ignored: java.sql.SQLWarning: No row was found for FETCH, UPDATE or DELETE; or the result of a query is an empty table. There is no info about creating manually any other files/dbs. -- JBRAVO |
From: Ivan R. <iva...@gm...> - 2007-11-26 18:13:34
|
After obtaining your personalised licence, have you installed it through the GUI (following the link from the message at the top) and then restarted (apply changes in the admin section)? On Nov 26, 2007 3:00 PM, .:JbRaVo:. <jon...@gm...> wrote: > Hello, > > Dnia 26-11-2007, Pn o godzinie 13:59 +0000, Ivan Ristic pisze: > > May be a different problem. The licence embedded in the product > > expired some months ago, but the licences generated through the BSN > > never expire. > > Reinstalled with *tar.gz version - still same effect. And i still can > see error saying that licence is missing at the top of console webgui. > > Should i initiate some kind of console database first? No, the application comes with a database. > I've found these > in /opt/modsecurity-console/var/logs/debug.log.0: > > 2007-11-26 15:50:00 org.springframework.jdbc.core.JdbcTemplate > throwExceptionOnWarningIfNotIgnoringWarnings > WARNING: SQLWarning ignored: java.sql.SQLWarning: No row was found for > FETCH, UPDATE or DELETE; or the result of a query is an empty table. That's normal. > There is no info about creating manually any other files/dbs. Because there's no need to :) > > -- > JBRAVO > > -- Ivan Ristic |
From: .:JbRavo:. <jon...@gm...> - 2007-11-26 19:20:04
|
Hello, Dnia 26-11-2007, Pn o godzinie 18:13 +0000, Ivan Ristic pisze: > After obtaining your personalised licence, have you installed it > through the GUI (following the link from the message at the top) and > then restarted (apply changes in the admin section)? I've stucked with this. After couple of hours, i've noticed that gui is saying me that i have unsaved settings just after new licence applying... I really must take some rest;) Ofcourse just after applying changes magic started:) Sorry for bothering You guys and really thanks for amazing job you are doing with mod_security. BTW now there is another problem;) I can not connect to webgui SSL mode: Failed to start: SslListener2@0.0.0.0:8886 -- JBRAVO |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-11-26 19:28:44
|
I believe that SSL is not supported in the community console. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of .:JbRavo:. > Sent: Monday, November 26, 2007 2:21 PM > To: Ivan Ristic > Cc: mod...@li...; Brian Rectanus > Subject: Re: [mod-security-users] mlogc failing to submit auditentries > toModSecurity Console >=20 > Hello, >=20 > Dnia 26-11-2007, Pn o godzinie 18:13 +0000, Ivan Ristic pisze: > > After obtaining your personalised licence, have you installed it > > through the GUI (following the link from the message at the top) and > > then restarted (apply changes in the admin section)? >=20 > I've stucked with this. After couple of hours, i've noticed that gui is > saying me that i have unsaved settings just after new licence > applying... > I really must take some rest;) Ofcourse just after applying changes > magic started:) >=20 > Sorry for bothering You guys and really thanks for amazing job you are > doing with mod_security. >=20 > BTW now there is another problem;) I can not connect to webgui SSL mode: >=20 > Failed to start: SslListener2@0.0.0.0:8886 >=20 > -- > JBRAVO >=20 >=20 >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: .:JbRavo:. <jon...@gm...> - 2007-11-26 20:17:41
|
Hello, Dnia 26-11-2007, Pn o godzinie 14:26 -0500, Ryan Barnett pisze: > I believe that SSL is not supported in the community console. Got errors in "stderr.log": java.io.IOException: Keystore was tampered with, or password was incorrect So i: I've returned to SUN Java 1.4.2 (first i've got other errors and they where related with IBM Java version). Checked console.conf for setup records - found: Property keypassword "password". Checked keystore password: keytool -list -keystore keystore and seems that password is ok. So, there is no SSL support in free version really?:( Need to forward some ssh to deal with? BTW: great book Ryan (PWAwA)! -- Pozdrowienia, Maciej .:JbRaVo:. Harasimczuk <My GPG Fingerprint: 87C8 9254 E38F B323 0CD2 A773 7350 63E2 7779 7FE9> |