Mod_security log trouble

[WillyN]

Hello,

I noticed that to get Mod_security writing to its modsec_audit.log I need to stop and restart Mod_security.

Once started the log file grows explosively.

I use logrotate to rotate the modsec_audit.log every 24 hours, placing the following in /etc/logrotate.conf

/var/log/modsec_audit.log {
missingok
daily
rotate 4
compress
}

This works fine, but to make Mod_security start writing to the new modsec_audit.log I need to manually restart Mod_security.

Two questions:
- What can be done to avoid having to manually restart Mod_security on a daily basis?
- What can I do to reduce the amount of info Mod_security writes to its modsec_audit.log?

Greetings.

 

[iiiuhkai]

Plesk logrotate already have record for modSecurity:

# cat /etc/logrotate.d/mod_security 
/var/log/modsec_audit.log {
	daily
	rotate 7
	missingok
	compress
	postrotate
		/etc/init.d/apache2 reload > /dev/null 2>/dev/null || true
	endscript
}

and I suppose that apache reload is enough, because I have no such problem with modsecurity log.

 

[AndreasI]

Thanks, it works fine....

 

[Willy_N]

Plesk logrotate already have record for modSecurity:

# cat /etc/logrotate.d/mod_security 
/var/log/modsec_audit.log {
	daily
	rotate 7
	missingok
	compress
	postrotate
		/etc/init.d/apache2 reload > /dev/null 2>/dev/null || true
	endscript
}

and I suppose that apache reload is enough, because I have no such problem with modsecurity log.

On my server there's no such record.

It seems true that an apache-restart makes mod_security start logging. I don´t like to have to restart apache, I'd rather have a cleaner method. The logical way seems to me that writing continues on the newly created modsec_audit.log.

And how about restricting whar is written to the modsec_audit.log?