ModSecurity debug log level

[wergoth]

Hello,

could I setup ModSecurity debug logging and it's level and what should I do?
Version LSWS is 5.0.9
Thanks a lot.

 

[mistwang]

if you use it with control panel, just change Apache mod_security configuration
SecDebugLogLevel 9

the debug logging is in the error log.

 

[wergoth]

I don't use WHCMS, I've tried to setup SecDebugLogLevel 9 but after LSWS reload error.log and some dangerous requests error.log was empty.

 

[mistwang]

if you want check if a rule was hit, you should setup audit log.
LiteSpeed does not scan a request results in 404, or a request to static asset.

 

[wergoth]

Audit log is set up and works. I need to debug some ModSecurity rules.

 

[mistwang]

If you use native LSWS vhost, not through Apache configuration, you need to set
https://www.litespeedtech.com/docs/webserver/config/reqfilter#censorLogLevel

It is equivalent to "SecDebugLogLevel",

ModSec debugging log is logged as "INFO" level in error.log, so your Litespeed server log level need to be INFO or DEBUG.

 

[sahostking]

Hi

What is recommend for shared hosting with comodo waf rules. Should we use INFO with Level high so it blocks rules well or a different level?

 

[wergoth]

ModSecurity work doesn't depend on log level, so you can use any one you need.
If you use Debug level, you can see all debug and ModSecurity debug too.
It helped me to understand would rule(s) work or not. I use apache-based ModSecurity (not native LSWS (Request filter)) configs.

 

[mistwang]

"Debug Level" should be set to "NONE", only set it to other value when you need to see the debug level logging.
Log level can be set to "DEBUG" or "INFO".

 

[wergoth]

Hello!

Is there any way to see all stages mod_security work in litespeed log. I'm interested in logs like apache's ones. For exapmle:

--78e98913-A--
[03/Feb/2016:12:35:53 +0200] VrHYCfr2M1mGdmY@WkxftAAAAAQ 127.0.0.1 59561 127.0.0.1 8084
--78e98913-B--
GET / HTTP/1.1
Host: localhost:8084
User-Agent: tsung

--78e98913-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.11
Set-Cookie: 4126d879853bf7a65769bedc40afb774=f72thb17uj6qnq0inqboj2hpv1; path=/; HttpOnly
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 03 Feb 2016 10:35:53 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6560
Content-Type: text/html; charset=utf-8

--78e98913-H--
Apache-Handler: application/x-httpd-php
Stopwatch: 1454495753044656 141056 (- - -)
Stopwatch2: 1454495753044656 141056; combined=2268, p1=596, p2=1143, p3=36, p4=463, p5=29, sr=28, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.4.6 (CentOS) PHP/5.6.11
Engine-Mode: "ENABLED"

--78e98913-Z--

Could I get the same or similar for LiteSpeed?

 

[NiteWave]

please try

SecAuditLog

 

[wergoth]

Should I enable Request Filter for it?

 

[sahostking]

I assume setting it to NOTICE is also enough? and not INFO?

Reason is I see this:

[Tue Feb 9 12:51:22 2016] [error] [client 94.154.233.132] ModSecurity: Access denied with code 406, [Rule: 'REQUEST_HEADERS:User-Agent' 'MJ12bot'] [id "300003"] [msg "MJ12bot"]


So I assume it picking up mod security in logs even on notice?

 

[mistwang]

Yes, for that particular log entry, NOTICE is fine.

 

[sahostking]

Ok but you stating that using INFO is recommended for mod security with comodo rules?

Are you stating not all rules would be seen on NOTICE?

 

[mistwang]

It is not directly related to mod security, in general, we recommend using DEBUG or INFO level logging, so we can get more information from error log when we need to trouble shoot something.