Question auditlog needs 100% CPU utilization

[TomE]

Hello all,

I recently have the problem that the CPU load goes to 100% and it doesn't get less by itself. In the ProcessList I see 98% CPU usage of "auditlog". When restarting the server everything is ok for 1-2-3 days and then it starts again.

What can I do? I am grateful for every tip.

regards Tom

 

[IgorG]

auditlog is the process of ModSecurity. I'd suggest you try to troubleshoot this behaviour with the help of ModSecurity logs:

• /var/log/modsec_audit.log
• /var/www/vhosts/<domain_name>/logs/error_log

Most probably there is an attack on one of your sites on Plesk server.

 

[TomE]

Hi Igor,

thanks for your answer.

That's what I thought too, the modSec is running but the modsec_audit.log has only between 0-10kb - minimal entries. The error_logs of the individual domains are also only max. 8MB and there is not really anything to see that there are large occurrences. I have this on another server much worse and no problems with the auditlog.

I have deactivated the modesc now and watch the next days but a solution is unfortunately, because I would like to leave it running.

Maybe another idea I can follow up?

Thanks and regards, Tom

 

[IgorG]

Maybe another idea I can follow up?

Maybe you should try switching to a different ModSecurity rule set?

 

[TomE]

Hi Igor,

thanks for your support!

I have deactivated modsec and after 4 days again the same, CPU load at 100%, of which 96.2% of auditlog the CPU load is so high that I can not even work with PLESK, only a restart helps but also only for a few days.

In the logfiels I don't see anything out of the ordinary only some of those

Apr 16 16:05:02 localhost systemd: Started Session 1461 of user psaadm.
Apr 16 16:05:08 localhost systemd: Removed slice User Slice of psaadm.
Apr 16 16:06:01 localhost systemd: Created slice User Slice of psaadm.
Apr 16 16:06:01 localhost systemd: Started Session 1462 of user psaadm.
Apr 16 16:06:02 localhost systemd: Removed slice User Slice of psaadm.
Apr 16 16:09:01 localhost systemd: Created slice User Slice of psaadm.
.......

they are new .... could this have something to do with it?

what else could i try?

Thanks and regards, Tom

 

[Bitpalast]

Could you show an excerpt from your process list please where "auditlog" has the high CPU usage? Have you tried to run strace on that process to see what it is doing while it is consuming so much cpu power?

 

[mario2825]

Deutsch / German

Nun habe ich das selbe Problem, ich habe schon versucht meinen ModSecurity-Regelsatz zu ändern, aber keine Besserung. Ich habe due gleichen Probleme wie der Beitragersteller. Vielleicht kann mir einer helfen.

Leider ist mein Englisch sehr schlecht, weshalb ich das nur mit einem Übersetzer Lesen / Schreiben kann.
Danke im Voraus für die Hilfe

Englisch / English (Translated with Google Translate)

Now I have the same problem, I already tried to change my ModSecurity rule, but no improvement. I have due the same problems as the post author. Maybe someone can help me.

Unfortunately my English is very bad, so I can only read / write this with a translator.
Thanks in advance for the help

 

[Bitpalast]

We've seen a lot of these issues with the Comodo ruleset. It's been so bad on one machine that the (12 core) machine went down within seconds after certain rules were met. After switching back to Atomic the issue was resolved.

 

[tkalfaoglu]

IMHO, Modsecurity was more trouble than it's worth. I am not enabling it on the new server.
Even if you eventually configure it correctly,it still blocks lots of legitimate requests.

 

[astursala]

The same thing happens to me ... any solution