This is an old revision of the document!
LiteSpeed Web Server Not Logging but Apache Is
A user running cPanel/WHM on the server does not see any blocks of activity under the ModSec section in WHM while using LiteSpeed. After switching to Apache, the blocks coming in begin to be logged.
Testing has shown that mod_security is hit and a 403 error is returned under LSWS. So, it seems that mod_security works fine on both Apache and LSWS, and that the problem is only with the logging. Why?
There are two mod_security log modes: Concurrent and Serial.
SecAuditLogType Concurrent
or
SecAuditLogType Serial
Apache supports both modes while LSWS only supports Serial Audit log mode.
In the above example, the mode is set to Concurrent
, and so Apache uses that logger mode, but under LiteSpeed cPanel is looking for another log to populate the “ModSecurity Tools” entries.
To fix the problem and get LiteSpeed Web Server logging, turn off the mod_security concurrent logger configuration and change it to serial mode.
Unsupported Variable error
Sometime you may see some error like the following:
2018-10-08 15:51:43.075081 ERROR [ModSecurity] FILES:import_file "@rx <": Rule not supported. 2018-10-08 15:51:43.077152 ERROR [ModSecurity] failed to parse a modsec variable. while parsing: %{TIME_EPOCH} 2018-10-08 15:51:43.077934 ERROR [ModSecurity] unknown server variable while parsing: FILES:import_file 2018-10-08 15:51:43.077942 ERROR [ModSecurity] FILES:import_file "@contains <": Rule not supported. 2018-10-08 15:51:43.081368 ERROR [ModSecurity] unknown server variable while parsing: MATCHED_VARS_NAMES 2018-10-08 15:51:43.081385 ERROR [ModSecurity] MATCHED_VARS_NAMES "@rx ^ARGS:AGENDA_EXT_(?:NAME|SRC|COLOR)__[\d]{1}$" "t:none": Rule not supported. 2018-10-08 15:51:43.104981 ERROR [ModSecurity] unknown server variable while parsing: FILES:file 2018-10-08 15:51:43.105000 ERROR [ModSecurity] FILES:file "@contains <" "t:none,t:urlDecodeUni,t:htmlEntityDecode": Rule not supported. 2018-10-08 15:51:43.110779 ERROR [ModSecurity] failed to parse a modsec variable. while parsing: %{REQUEST_COOKIES.pwg_id} 2018-10-08 15:51:43.110937 ERROR [ModSecurity] failed to parse a modsec variable. while parsing: %{REQUEST_COOKIES.pwg_id}
We try to keep LSWS compatible with the latest mod_security 2.5(and above) and gotroot rules. LSWS supports most of these rules and attempts not to miss any really important features/rules used in the real world. We also keep updating support based on our user feedback. However, because of the complexity and always updating nature of these security rules, it is not possible to be 100% compatible with Apache at any one time.
The above error messages simply mean these variables are not supported by LSWS yet. They can be simply ignored. We will periodically review our mod_security engine and add new support to it. Stay tuned.