A user running cPanel/WHM on the server does not see any blocks of activity under the ModSec section in WHM while using LiteSpeed. After switching to Apache, the blocks coming in begin to be logged.

Testing has shown that mod_security is hit and a 403 error is returned under LSWS. So, it seems that mod_security works fine on both Apache and LSWS, and that the problem is only with the logging. Why?

There are two mod_security log modes: Concurrent and Serial.

SecAuditLogType Concurrent

or

SecAuditLogType Serial

Apache supports both modes while LSWS only supports Serial Audit log mode.

In the above example, the mode is set to Concurrent, and so Apache uses that logger mode, but under LiteSpeed cPanel is looking for another log to populate the “ModSecurity Tools” entries.

To fix the problem and get LiteSpeed Web Server logging, turn off the mod_security concurrent logger configuration and change it to serial mode.

Sometime you may see some error like the following:

2018-10-08 15:51:43.075081  ERROR   [ModSecurity] FILES:import_file "@rx <": Rule not supported.
2018-10-08 15:51:43.077152  ERROR   [ModSecurity] failed to parse a modsec variable. while parsing: %{TIME_EPOCH}
2018-10-08 15:51:43.077934  ERROR   [ModSecurity] unknown server variable while parsing: FILES:import_file
2018-10-08 15:51:43.077942  ERROR   [ModSecurity] FILES:import_file "@contains <": Rule not supported.
2018-10-08 15:51:43.081368  ERROR   [ModSecurity] unknown server variable while parsing: MATCHED_VARS_NAMES
2018-10-08 15:51:43.081385  ERROR   [ModSecurity] MATCHED_VARS_NAMES "@rx ^ARGS:AGENDA_EXT_(?:NAME|SRC|COLOR)__[\d]{1}$" "t:none": Rule not supported.
2018-10-08 15:51:43.104981  ERROR   [ModSecurity] unknown server variable while parsing: FILES:file
2018-10-08 15:51:43.105000  ERROR   [ModSecurity] FILES:file "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode": Rule not supported.
2018-10-08 15:51:43.110779  ERROR   [ModSecurity] failed to parse a modsec variable. while parsing: %{REQUEST_COOKIES.pwg_id}
2018-10-08 15:51:43.110937  ERROR   [ModSecurity] failed to parse a modsec variable. while parsing: %{REQUEST_COOKIES.pwg_id}

We try to keep LSWS compatible with the latest mod_security 2.5(and above) and gotroot rules. LSWS supports most of these rules and attempts not to miss any really important features/rules used in the real world. We also keep updating support based on our user feedback. However, because of the complexity and always updating nature of these security rules, it is not possible to be 100% compatible with Apache at any one time.

The above error messages simply mean these variables are not supported by LSWS yet. They can be simply ignored. We will periodically review our mod_security engine and add new support to it. Stay tuned.