• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Issue ModSecurity Atomicorp not logging to modsec_audit.log

J

Jonathan B

New Pleskian
Server operating system version
AlmaLinux 8.10
Plesk version and microupdate number
Plesk Obsidian 18.0.70. #2
Hi guys, i have Plesk installed on AlmaLinux 8.10 (Cerulean Leopard) with Plesk Obsidian 18.0.70.

For some days now, ModSecurity (Atomicorp) has not been logging events for some domains to the modsec_audit.log file.
However, the WAF is working correctly, as its actions are clearly shown in the error_log files of the individual websites.

Is anyone else experiencing this problem?
 
Thank you but no, it is active.
In the website's error logs, ModSecurity logs with 403 errors returned to the client are present.

For example: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/20_asl_useragents.conf"] [line "187"] [id "332039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests). Disable this rule if you use python-requests/. "] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "python-requests/" at REQUEST_HEADERS:user-agent. [hostname "www.xxx.it"] [uri "/"] [unique_id "aGywK5m3yJdd8tXr1OmVmAAAAII"]

The issue is only present in the main log (modsec_audit.log), which remains empty.

A few days ago there was an update error of the modsecurity rules update, then since it disappeared, this problem started.
 
Thank you for the confirmation. Could you please try executing the following commands:

/usr/local/psa/admin/bin/modsecurity_ctl -d
/usr/local/psa/admin/bin/modsecurity_ctl -e
Click to expand...

This action should recrate the ModSecurity configuration and, hopefully, sort the entry logging issue.
 
Thank you very much, but this operation didn't solve the problem. I still see the error log, but not the detailed logs in modsec_audit.log.

By any chance, do you know which configuration file contains the directives for writing to the modsec_audit.log file?
 
Thank you very much, but searching for SecAuditLog also led to nothing, everything looks okay, and there are no directives with "off".
For now, I will keep the system as it is since the WAF is working correctly, and I hope a future update will resolve it automatically.
 
You must log in or register to reply here.

Similar threads

K
Question What is the current version of the free AtomiCorp ruleset(s) (ModSecurity) within Plesk?
Replies
0
Views
619
King555
K
T
Apache2 ModSec Error - Apache2 fails to start and AH00111 error
Replies
1
Views
2K
Peter Debik
P
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
3K
HHawk
HHawk
S
Resolved FORBIDDEN ACCESS
Replies
2
Views
3K
soliu
S
H
Issue Modsecurity Broken from time to time
Replies
0
Views
1K
hostking
H
Back
Top