Differences

This shows you the differences between two versions of the page.

--- litespeed_wiki:config:mod_security_no_log [2018/10/01 20:52]
Jackson Zhang created
+++ litespeed_wiki:config:mod_security_no_log [2018/10/08 20:23]
Jackson Zhang
@@ Line 1: / Line 1: @@
-====== I can not see LSWS loging any activities but apache logging ok ======
+====== LiteSpeed Web Server Not Logging but Apache Is ======
-The user runs cPanel/WHM on the server. We do not see any blocks of activity under the ModSec section in WHM when switching to LiteSpeed while switching to Apache,  it is working fine and all the logs started showing all the blocks coming in.
+A user running cPanel/WHM on the server does not see any blocks of activity under the ModSec section in WHM while using LiteSpeed. After switching to Apache, the blocks coming in begin to be logged.
-When particular testing a rule, it did hit mod_security and returned 403 error on LSWS. It seems mod_security works fine on both Apache and LSWS, just no log on LSWS. Why does it happen?
+Testing has shown that mod_security is hit and a 403 error is returned under LSWS. So, it seems that mod_security works fine on both Apache and LSWS, and that the problem is only with the logging. Why?
-There are two type of mod_security log mode: Concurrent or Serial.
+There are two mod_security log modes: Concurrent and Serial.
   SecAuditLogType Concurrent
 or
   SecAuditLogType Serial
-Apache supports both mode while LSWS only supports Serial Audit log mode.
+Apache supports both modes while LSWS only supports Serial Audit log mode.
-In the above example, Apache uses concurrent logger mode and cPanel is looking for another log to populate the "ModSecurity Tools" entries.  How to fix?
+In the above example, the mode is set to ''Concurrent'', and so Apache uses that logger mode, but under LiteSpeed cPanel is looking for another log to populate the "ModSecurity Tools" entries.
+To fix the problem and get LiteSpeed Web Server logging, turn off the mod_security concurrent logger configuration and change it to serial mode.
+====== Unsupported Variable error =====
+Sometime you may see some error like the following:
+-10-08 15:51:43.075081  ERROR   [ModSecurity] FILES:import_file "@rx <": Rule not supported.
+-10-08 15:51:43.077152  ERROR   [ModSecurity] failed to parse a modsec variable. while parsing: %{TIME_EPOCH}
+-10-08 15:51:43.077934  ERROR   [ModSecurity] unknown server variable while parsing: FILES:import_file
+-10-08 15:51:43.077942  ERROR   [ModSecurity] FILES:import_file "@contains <": Rule not supported.
+-10-08 15:51:43.081368  ERROR   [ModSecurity] unknown server variable while parsing: MATCHED_VARS_NAMES
+-10-08 15:51:43.081385  ERROR   [ModSecurity] MATCHED_VARS_NAMES "@rx ^ARGS:AGENDA_EXT_(?:NAME|SRC|COLOR)__[\d]{1}$" "t:none": Rule not supported.
+-10-08 15:51:43.104981  ERROR   [ModSecurity] unknown server variable while parsing: FILES:file
+-10-08 15:51:43.105000  ERROR   [ModSecurity] FILES:file "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode": Rule not supported.
+-10-08 15:51:43.110779  ERROR   [ModSecurity] failed to parse a modsec variable. while parsing: %{REQUEST_COOKIES.pwg_id}
+-10-08 15:51:43.110937  ERROR   [ModSecurity] failed to parse a modsec variable. while parsing: %{REQUEST_COOKIES.pwg_id}
+We try to keep LSWS compatible with the latest mod_security 2.5(and above) and gotroot rules. LSWS supports most of these rules and attempts not to miss any really important features/rules used in the real world. We also keep updating support based on our user feedback.  However, because of the complexity and always updating nature of these security rules, it is not possible to be 100% compatible with Apache at any one time.
+The above error messages simply mean these variables are not supported by LSWS yet. They can be simply ignored.
+We will periodically review our mod_security engine and add new support to it. Stay tuned.
-Turning off mod_security concurrent logger configuration and change it to serial mode.