Logs and mod_security

Hedloff · Nov 10, 2015

Hello,

I have had a ticket with Comodo WAF for a while now about rules not working correctly with Litespeed servers.
We have no issues with Apache and Litespeed worked before also.

I would love to see that you work togheter with Comodo on this or other mod_security providers to get it working as it should.

In WHM I'm missing some things from the logs:

As you see there is no information on "Action Description: or Justification:".

Comodo said:
Please check if Litespeed logs written in correct location and contain all fields required for cPanel log parser

Where can we check that?

mistwang · Nov 10, 2015

Image is broken.
Are you talking about missing blocked requests notification in WHM?
Have you checked /usr/local/apache/logs/audit_log? if a request is blocked by modsecurity, it should be logged in audit_log.

chipus · Dec 4, 2015

Hello,

you must disable audit log section in Comodo WAF rules
example:
#SecAuditLog /usr/local/lsws/logs/modsec_audit.log
#SecDebugLog /usr/local/lsws/logs/modsec_debug.log

and enable internal audit log:

also if the settings Virtual Host, error log level is INFO, then the message is triggered will be reflected in the error log.

Hedloff · Dec 17, 2015

mistwang said:

Yes, they are blocked and I do find them in audit_log.
But in WHM I cannot get any description and Comodo is only pointing this issue to Litespeed.
You can see the picture from this url:
http://imgur.com/V4hO42U

Hedloff · Dec 17, 2015

chipus said:

-

Did try this, but nothing changed and I could not get anymore information in WHM about why CWAF was triggered.

Logs and mod_security

Hedloff

Well-Known Member

mistwang

LiteSpeed Staff

chipus

Member

Hedloff

Well-Known Member

Hedloff

Well-Known Member