Mod security logs in cPanel

Would like to see something like this implemented.

A brand new ModSecurity interface in WHM is being rolled out in cPanel & WHM 11.46. Within this complete revamp of the UI we provide for it are much more useful tools for administrators (such as the ability to quickly identify and selectively disable ModSecurity rules deemed to generate false positives).

While the interface is WHM only, I bring this up because I'd love to hear further feedback on it. For a future release, the plan is to adapt similar functionality into the cPanel side. When 11.46 hits the EDGE tier, I would encourage those interested in this particular feature request to take a look at the new interface. This cPanel side equivalent would, as you've requested, provide end users with the ability to quickly identify how ModSecurity is affecting their site(s).

Note that the end user interface in cPanel would essentially be a "viewer" only. Unlike its WHM counterpart, it would not be able to disable/modify given rules. The intention is to deliver the cPanel side of the interface for cPanel & WHM 11.48.

Any screen captures yet?

The attached screenshot is what the ModSecurity Hits List looks like via WHM in 11.45 that's currently available in the EDGE tier of cPanel & WHM. In regards to this specific feature request, a similar feeling interface is something that we're looking to implement for the cPanel end-user in a future version of cPanel & WHM.

I encourage everyone interested in this feature request that has a server to utilize for experimental versions/testing to set it to the EDGE tier to grab the current 11.45 version and provide feedback/testing.

Looks like a very nice approach. Ability to filter by date, host, source, severity or even by Rule ID, would be more than appreciated to allow knowing the impact or occurrences frequency of a given event, thus allowing a more wise analysis of the situations.

I second this as it's a long time expected feature.

currently the mod_security option is ok and much better than having to manually manage the OWASP ruleset,

however there are some aspects that would need to be addressed:

• enabling logging of noteworthy transactions in some cases creates 100MB of logs per day, which eats up the user's space (we user mod_ruid2)
• some rules like IP database lookups do not work due to mod_ruid2 as the ownership of the logs and ip databases is a problem with mod_ruid2 enabled, these rules failing create logging several times per second, and having hundreds of domains generate too much disk overhead with error logs from inaccessible IP database
  
• 99% of our customers are from an EU country that is on the OWASP blacklisted countries list but we do not consider them spam or risky, so a whitelist is needed to be able to use mod_security triggers with automatic IP blocking in firewall (currently there are too many false positives)
• in many cases clients just get frustrated with unexplained redirects to homepage (they do not even know there is a mod_security problem and just look for other problems) so having the logs available to the cpanel user is vital
• there is no log rotation for the concurrent logging option with mod_ruid and our servers had accumulated over 40GB in millions of log files that took over 4 hrs just to delete, we currently have to run a cron to delete the logs in case we have to turn on logging for debugging
  

there is a compatility issue with mod_ruid2 and jailshell in that if these are enabled then mod_Security cannot write any logs

I would recommend moving the mod_security logs under the user's home

1) users now just complain that their site is not working and it is a lot of work to find the problematic rule, it would be ideal if they could see the rules triggered by their script so they can remedy the script or REPORT AND DISABLE THE RULE FOR THEIR ACOUNT!!

2) they can deactivate mod_Security anyways and they are paying for the log files space already because the logs are already owned by the user so it eats up their space, at least it would be useful to them

if anyone tried enabling the OWASP ruleset will see that basic Wordpress functions stop and some rules need whitelisting.

letting users see which rules are triggered and disabling them would help tremendously

other admins please vote on this ! :)

Will be interesting if the cPanel user can see all the hits generated by mod_sec in his domains with the "Action Description" and "Justification", then, he can try to solve the issue in his website without to contact the support.

Currently, he need to contact the hosting support providing us domain info, URL and date/time to try to find the hist, this produce a bad image in the hosting company and a high delay to solve a issue.

Hello! Any news on this one? It's In Progress since one year ago.

It looks like this was moved to 'In Progress' prematurely. While this is something we would like to take a look at it's not currently something we're working on. I'm so sorry for that.

I'm going to move this request back to 'Open Discussion' for now. As soon as there's any more information, I'll let you know!

We get the same request from our customers. Since the data is already stored in the Mysql database modsec I guess it's not a huge deal to filter the result based on the hostname.

Please cPanel team, this functionality is really necessary, to system administrators makes us lose a lot of time explaining to the user the reasons why your website gives some error. But this in the best of cases...

... because the most serious problem is when they don't bother to ask us either, they simply deactivate mod_security in order to keep working.

The consequence is that the security failure of the web has not been corrected because they do not know the reason and they are not protected.

Critical.