Resolved Empty ModSecurity Log File

[othmaqsa]

Server operating system version

Ubuntu 20.04.5 LTS

Plesk version and microupdate number

18.0.49 #2

Hello,

When I try to check the logs in ModSecurity Log File or Logs Archive, it shows a blank page, it doesn't show any logs.

Firewall mode : Detection only

 

[Peter Debik]

A similar issue was recently reported in the Facebook group. The solution there was that no logs existed, hence none were shown. Have you checked that there are actually log entries, e.g. by checking the access_ssl_log and error_log files in the /logs directory?

 

[othmaqsa]

Hello @Peter Debik ,

I have tried to visit https://example.com/aphpfilethatdonotexist.php?something=../../etc to trigger the error code 403, but what I don't understand is the 404 error being triggered instead of 403.. as if ModSecurity is not working.

 

[Peter Debik]

ModSecurity is not responding to non-existent files. Can you reproduce the issue with a scenario where an existing file is used?

 

[othmaqsa]

Same problem, Log file still empty.

Do I need to wait at least 24H before checking the Mod Sec Log File ?

 

[othmaqsa]

ModSecurity is not responding to non-existent files. Can you reproduce the issue with a scenario where an existing file is used?

@Peter Debik
I have just checked now, and the log still empty.

Maybe the reason because I'm in detect only mode ?

 

[Peter Debik]

It needs to be checked in detail. Have you seen this other thread with a similar issue?

Resolved - Mod Security Log Files Empty

Hi, i have noticed that my mod security Log Files are empty. Nothing happens there. I restartet, stop & started, disabled, reenabled, changed Modus - nothing. System: Plesk Onyx 17.5.3 Debian 8.9 And via SSH it sais, that Service is running. Any Ideas? Could it be something with Cron Job?

talk.plesk.com

 

[othmaqsa]

It needs to be checked in detail. Have you seen this other thread with a similar issue?

Resolved - Mod Security Log Files Empty

Hi, i have noticed that my mod security Log Files are empty. Nothing happens there. I restartet, stop & started, disabled, reenabled, changed Modus - nothing. System: Plesk Onyx 17.5.3 Debian 8.9 And via SSH it sais, that Service is running. Any Ideas? Could it be something with Cron Job?

talk.plesk.com

Hello @Peter Debik ,

I have tried this cmd:

cd /var/log/modsecurity/audit/
Output: -bash: cd: /var/log/modsecurity/audit/: No such file or directory

 

[othmaqsa]

Also, what is the exact name of the config file of Modsecurity for nginx to check the file if exist or not ?

 

[Peter Debik]

I am afraid that this is not leading to anywhere at the moment, but we need to come to a solution. I suggest that you open a ticket with Plesk support so that the resolution path gets more focused and an engineer can look onto your server directly to find out what is going on.

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...

support.plesk.com

 

[othmaqsa]

@Peter Debik , I have a good news.

Some Logs are showing currently since 2 days. So normally, the ModSec is working now.

Another question please:

In the Predefined set of values:
When I set "Fast" : Few logs is logged.
When I set "Tradeoff" : A lot of logs is logged with some error and false positive.

If I keep FAST, maybe few attacks will be blocked by ModSec, and other attacks not.
If I keep TRADEOFF, I have to sort out the rules that block plugins on Wordpress but normally the server will be more protected.

What is the best solution in your opinion?

 

[Peter Debik]

For a Wordpress site I believe that "fast" will do. Instead, apply all security options from the "Security" link in WP Toolkit.

 

[othmaqsa]

For a Wordpress site I believe that "fast" will do. Instead, apply all security options from the "Security" link in WP Toolkit.

Perfect. Thank you @Peter Debik