Thread: [mod-security-users] SecGuardianLog per virtual host?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Linh Vu <vu...@ph...> - 2006-02-27 01:12:50
|
Hi all, I'm a bit confused about this part in the documentation and the instruction at the top of httpd-guardian. I'm using per-virtual-host logging so if I want to use httpd-guardian, I need to have SecGuardianLog |/path/to/httpd-guardian in every VirtualHost config? And I can have both AuditLog and GuardianLog? Cheers, Linh -- ----------------------------------------------- Linh Vu - Web/DB and Systems Support officer School of Physics, The University of Melbourne Office: 8344 8093 Email: vu...@ph... ----------------------------------------------- |
|
From: Ivan R. <iv...@we...> - 2006-02-27 11:51:05
|
Linh Vu wrote: > Hi all, > > I'm a bit confused about this part in the documentation and the > instruction at the top of httpd-guardian. I'm using per-virtual-host > logging so if I want to use httpd-guardian, I need to have > > SecGuardianLog |/path/to/httpd-guardian > > in every VirtualHost config? No. Only one guardian log can be used for the whole web server. I designed it to protect the web server, not individual sites. > And I can have both AuditLog and GuardianLog? You can have as many audit logs as you want. Per-virtual host included... -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Linh Vu <vu...@ph...> - 2006-02-28 01:20:01
|
Hi, Thanks for your reply. I currently have 1 AuditLog at httpd.conf level to log all virtual hosts. I take it that if I add SecGuardianLog /path/to/httpd-guardian at that same level, it will scan every request that gets logged in AuditLog and act accordingly? I'm confused by this paragraph in httpd-guardian script: # NOTE: In order for this script to be effective it must be able to # see all requests coming to the web server. This will not happen # if you are using per-virtual host logging. In such cases either # use the ModSecurity 1.9 SecGuardianLog directive (which was designed # for this very purpose). So does "per-virtual host logging" here refer to the Audit Log? Which means that if I have multiple AuditLogs for the virtual hosts, SecGuardianLog won't be effective, right? With my current setup (single AuditLog for the whole server), it will work? I was thinking of my access/error logging per virtual host, which probably shouldn't have anything to do with this. Cheers, Linh Ivan Ristic wrote: >Linh Vu wrote: > > >>Hi all, >> >>I'm a bit confused about this part in the documentation and the >>instruction at the top of httpd-guardian. I'm using per-virtual-host >>logging so if I want to use httpd-guardian, I need to have >> >>SecGuardianLog |/path/to/httpd-guardian >> >>in every VirtualHost config? >> >> > > No. Only one guardian log can be used for the whole web server. I > designed it to protect the web server, not individual sites. > > > > >>And I can have both AuditLog and GuardianLog? >> >> > > You can have as many audit logs as you want. Per-virtual host > included... > > > -- ----------------------------------------------- Linh Vu - Web/DB and Systems Support officer School of Physics, The University of Melbourne Office: 8344 8093 Email: vu...@ph... ----------------------------------------------- |
|
From: Ivan R. <iv...@we...> - 2006-02-28 12:57:46
|
Linh Vu wrote: > Hi, > > Thanks for your reply. I currently have 1 AuditLog at httpd.conf level > to log all virtual hosts. I take it that if I add SecGuardianLog > /path/to/httpd-guardian at that same level, it will scan every request > that gets logged in AuditLog and act accordingly? The idea is to send information about *every* request to the guardian log. > I'm confused by this > paragraph in httpd-guardian script: > > # NOTE: In order for this script to be effective it must be able to > # see all requests coming to the web server. This will not happen > # if you are using per-virtual host logging. In such cases either > # use the ModSecurity 1.9 SecGuardianLog directive (which was designed > # for this very purpose). > > So does "per-virtual host logging" here refer to the Audit Log? No, it refers to the case when you are using this facility without ModSecurity. In that case you will need to ensure all requests are sent to httpd-guardian. If you are using ModSecurity - it does that for you. > Which > means that if I have multiple AuditLogs for the virtual hosts, > SecGuardianLog won't be effective, right? No, audit log and guardian log are not related. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Linh Vu <vu...@ph...> - 2006-02-28 22:49:04
|
Thanks for clearing that up. I get it now. Cheers, Linh Ivan Ristic wrote: >Linh Vu wrote: > > >>Hi, >> >>Thanks for your reply. I currently have 1 AuditLog at httpd.conf level >>to log all virtual hosts. I take it that if I add SecGuardianLog >>/path/to/httpd-guardian at that same level, it will scan every request >>that gets logged in AuditLog and act accordingly? >> >> > > The idea is to send information about *every* request to the > guardian log. > > > > >>I'm confused by this >>paragraph in httpd-guardian script: >> >># NOTE: In order for this script to be effective it must be able to >># see all requests coming to the web server. This will not happen >># if you are using per-virtual host logging. In such cases either >># use the ModSecurity 1.9 SecGuardianLog directive (which was designed >># for this very purpose). >> >>So does "per-virtual host logging" here refer to the Audit Log? >> >> > > No, it refers to the case when you are using this facility without > ModSecurity. In that case you will need to ensure all requests are > sent to httpd-guardian. > > If you are using ModSecurity - it does that for you. > > > > >>Which >>means that if I have multiple AuditLogs for the virtual hosts, >>SecGuardianLog won't be effective, right? >> >> > > No, audit log and guardian log are not related. > > > -- ----------------------------------------------- Linh Vu - Web/DB and Systems Support officer School of Physics, The University of Melbourne Office: 8344 8093 Email: vu...@ph... ----------------------------------------------- |
Thanks for helping keep SourceForge clean.
X