New Topic

cPanel & WHM Feature Requests Topic Security

Category Security

Tags logs, eat up space, mod_security, mod_ruid, 11.50

Add log rotation for mod_security logs

freedomizer shared this idea ago

Completed

Since 2014-11-06 extensive logging has been done by mod_security under:

/usr/local/apache/logs/modsec_audit/~username

this presents 2 problems:

1) the logs are kept under cpanel user ownership and are counted towards disk usage (under Other Disk Usage)

2) the logs eat up a lot of space, in some cases 5Mib per day = 150Mib/month and having 100 users would be 15Gib space per month

extensive loggin occurs when using OWASP or other large rulesets.

from my conclusion only mod_security + mod_ruid creates log files under:

/usr/local/apache/logs/modsec_audit/

Currently there is in-built no log rotation or option to clean up these logs.

I handled it temporarily with a cronned script:

#!/bin/bash
echo "cleaning up files older than 7 days from modsec logs:"
find /usr/local/apache/logs/modsec_audit/ -type f -mtime +7 -exec rm {} \;

We need an urgent solution to keep these logs in check and not fill up the disk with logs.

I suggest an option to set mod_security logs for X days + include them in log rotation.

I like this idea 0

Best Answer

Aila ●

In cPanel & WHM version 11.50 we are adding a logrotate configuration for the main mod_security audit log. In addition we updated our log rotation daemon, cpanellogd, to handle the per user log files when using mod_ruid2.

Replies (2)

Manuel Sousa ●

Hello,

I just had the same issue where server performance was degrading over time with requests getting stuck in Logging.

Not sure if this was the cause hope so but i found this feature while searching for log rotation on mod_security.

I've made a change to the find command, here's mine:

find /usr/local/apache/logs/modsec_audit/*/* -maxdepth 0 -type d -mtime +7 -exec rm -rf {} \;

The reason is this way it deletes the old directories and not only the files

Edited: change find options order to avoid warning

URL

Aila ● ●

URL

Scott Neader ●

Hi Kenneth. I just updated to 11.50 on my servers. I am looking for this new configuration, but not seeing it under Service Configuration > cPanel Log Rotation. I am seeing modsec_audit.logs over 1GB in size.

URL

Hosted Power ●

Yes please tell us how to fix this. I also found huge files now under /home/username/logs ....

What about those ??

URL

Aila ●

The modsecurity logrotate configuration is automatically installed upon upgrading to 11.50. You can find the configuration file in /etc/logrotate.d

The log files in /home/user/logs are created based upon your log settings in Tweak Settings, found within WHM.

URL

Hosted Power ●

Hi thanks, you mean this setting:

The number of days to keep records of ModSecurity™ rule hits. (Use zero to keep forever).

Because I put that on 7 days, however there are archived logs from months before...

URL

Aila ●

@Hosted Power: no, that setting determines how much data to retain in the modsecurity database. I'm referring to the various items under the Stats and Logs heading in Tweak Settings.

For example the retention of log files in /home/user/logs is determined by the "Archive logs in the user's home directory at the end of each stats run unless configured by the user." setting under that heading.

URL

Hosted Power ●

Thanks again. I have the setting on, but I see all logs are archived. However for other types of logs archives don't seem to stay forever. For mod security I currently see:

/home/mywebsite/logs/

-rw-r--r-- 1 mywebsite mywebsite 1.6G Jul 31 14:26 modsec2_mywebsite_Jul_2015.gz

-rw-r--r-- 1 mywebsite mywebsite 1.7G Jun 30 14:09 modsec2_mywebsite_Jun_2015.gz

-rw-r--r-- 1 mywebsite mywebsite 1.8G Aug 31 14:09 modsec2_mywebsite_Aug_2015.gz

-rw-r--r-- 1 mywebsite mywebsite 1.1G Sep 21 14:19 modsec2_mywebsite_Sep_2015.gz

So it does not seem to remove the older ones. Why is this? It seem to keep growing forever like this :(

URL