mod_security logs

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

In the first few weeks after installing grsec and mod_security, nothing particularly exciting was reported in any logs. Just the usual formmail scanning and awstats scanning.

But suddenly I'm seeing repeated and concerted attempts to use, for example, the highlight exploit in phpbb and various expoints for Coppermine gallery.

grsec kernel error messages are reported in /var/log/messages, and logwatch dutifully emails me the highlights from this every day, nearly categorised into things like kernel errors, ftp errors etc etc.

But mod_security logs things in /var/log/httpd/audit_log, which logwatch doesn't look at.

Is there an easy way for me to get a daily email of mod_security's log messages?

The only thing I can think of is to change the file that mod_security logs to to be /var/log/messages, but I'm not sure of the consequences of doing so (e.g. might doing so screw somethig important up?)

Would changing it to /var/log/messages be OK, or is there a better way?

Faris.

mike · **Posted:** Fri Apr 22, 2005 9:25 am

There is an optimal way, just add the audit_log file to the list of files for logwatch to monitor. You can always change the file mod_security uses, but the downside is that mod_security generates alot of non syslog standard messages that the default logwatch config will probably not know how to handle correctly. You could give it a try, it won't hurt mod_security if you change the default log file, but adding a new logwatch config file for audit_log would be the "best" solution IMHO.

Or, you could use something like logcheck to watch all your logfiles. Personally, I run both logwatch and logcheck.

phatPhrog · **Posted:** Sat Apr 23, 2005 12:45 am

If you use RX-Networks APF you can go to:

http://www.crucialparadigm.com/resource ... -drops.php

for a howto to redirect the mod_security, APF, BFD logs away from your /messages into their own log files

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

Thanks Mike. I run both too. Hm...I can't seem to find how to get logwatch to look at more than one file, or how to create a config to get it to look at things properly. Arrgh! And now I'm completely confused as to which is logcheck and which is logwatch. Drat it all. I'll have a play and see what I can break.

The thing I particularly remember is that one or the other of them uses a facility that remembers where a log file had been read to, and if I can do nothing else, I should still be able to use whatever that is to email me the relevent bits. If it exists and it isn't just me remembering things incorrectly.

Thanks phatPhrog -- but I think what the howto does it the reverse of what I want, but interesting just the same.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

Well I found all the stuff for logwatch and it looked far too hard to deal with.

So I wrote a script based on logcheck.sh to do what I wanted.
Comments welcome. This is the very first script I've ever "published"

Assuming this ever gets out into the world at large, should I add my email address after my name? I have spamarrest on the account I was thinking of publishing, so it is unlikely to be a huge problem. But I'd appreciate advice just the same -- there are worse things than spammers.

Also do I need to add any more credits or disclaimers or anything?
Do I need to put something about GNU GPL somewhere (the original work was distributed under the GNU GPL). It is just a small silly little script after all - but I don't want to break any Rules.

NOTE: I disclaim EVERYTHING about this script. use at your own risk.

Code:

#       mod_sec_Watch.sh: mod_security log file checker/mailer
#       Written by Faris
#
#       This script is based on:
#       logcheck.sh Written by Craig Rowland
#       which, along with logtail.c is based upon
#       the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
#       (c)Trusted Information Systems Inc. The original authors are
#       Marcus J. Ranum and Fred Avolio.


# This is version 1.0 of mod_sec_Watch.sh 23/04/2005
# (the first release version)
# Use at your own risk. You have been warned. 

# INSTALLATION:
#
# 1) DO THIS FIRST:
# mkdir /usr/local/etc/modsectmp
# chmod 700 /usr/local/etc/modsectmp
# (lower prives would be better!)

# 2) Now install mod_security and configure it to output its logs to
# /var/log/httpd/audit_log
#
# There are many howtos on mod_security but I can't recommend www.gotroot.com
# highly enough if you want to learn and get good rulesets.

# 3) install logcheck in order to get the logtail program


# 4) copy this script somewhere (chmod it 700) and have it execute daily via cron, ideally 
# at one  minute to midnight so the date in the email represents the
# past 24 hours


# 5) look at the following configuration parameters and change them as
# required (mostly only SYSADMIN needs to be changed if you are a RedHat 9
# user and probably other RedHat varients too.



# CONFIGURATION SECTION

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin

# Person to send log activity to.
SYSADMIN=you@your-email-address.com


# Full path to logtail program.
# This program is required to run this script and comes with the logcheck package.
LOGTAIL=/usr/local/bin/logtail

# Full path to SECURED (non public writable) /tmp directory.
# Prevents Race condition and potential symlink problems. I highly
# recommend you do NOT make this a publically writable/readable directory.
# You would also be well advised to make sure all your system/cron scripts
# use this directory for their "scratch" area.
# NOTE: the following dir should be the one you created in the DO THIS FIRST section.
TMPDIR=/usr/local/etc/modsectmp


# The 'mail' command. Most systems this should be OK to leave as is.
# If your default mail command does not support the '-s' (subject) command
# line switch you will need to change this command one one that does.
# The only system I've seen this to be a problem on are HPUX boxes.
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
# feel they need to do everything differently to remind the rest that
# they are the best ;).
#
# Linux, FreeBSD, BSDI, Sun, etc.
MAIL=mail
# HPUX 10.x and others(?)
#MAIL=mailx
# Digital OSF/1, Irix
#MAIL=Mail



# Shouldn't need to touch these...
HOSTNAME=`hostname`
DATE=`date +%m/%d/%y:%H.%M`



# Before we begin, remove any temporary files that may somehow have
# been left over, and if we can't delete them email an alert to
# the sysadmin

umask 077
rm -f $TMPDIR/check.$$
if [ -f $TMPDIR/check.$$ ]; then
        echo "mod_sec_Watch temporary Audit Log files in $TMPDIR directory cannot be removed. 
        This may be an attempt to spoof the log checker." \
        | $MAIL -s "mod_sec_Watch: $HOSTNAME - POSSILE PROBLEM ON $DATE" $SYSADMIN
        exit 1
fi


## OK, first things first. Get audit log info and put in temp dir
# CHANGE path to wherever you told mod_security to put logs

$LOGTAIL /var/log/httpd/audit_log >> $TMPDIR/check.$$


# See if the tmp file exists and actually has data to check,
# if it doesn't we should erase it and exit as our job is done.
#
# If you don't want to be emailed if there are no
# new entries then just remove the two lines relating to
# emailing. (starting echo and | )

if [ ! -s $TMPDIR/check.$$ ]; then
        rm -f $TMPDIR/check.$$
        echo "Audit Log contained no new data" \
        | $MAIL -s "mod_sec_Watch: $HOSTNAME - Audit Log is empty on $DATE" $SYSADMIN
        exit 0
fi



# logically speaking, if we get to this point then there's data to be sent!
# we should therefore email them to sysadmin

cat $TMPDIR/check.$$ | $MAIL -s "mod_sec_Watch: $HOSTNAME - Audit Log on $DATE" $SYSADMIN


# OK, we emailed the log. Now remove the temp file.

rm -f $TMPDIR/check.$$

# that's it. the end.
#####################

mod_security logs

Who is online