Rotate ModSecurityIIS 2.7.7 audit log using rotatelogs.exe or cronolog.exe

[saymne]

Hi,

I successfully installed and configured last version of ModSecurtiyIIS that I found via link http://comments.gmane.org/gmane.comp.apache.mod-security.user/11184

I used 64-bit installer.

My environment: Windows 2008 Server R2 Standard; IIS 7.5

I want to set log rotation for my ModSecurityIIS audit log on daily level. I set following in modsecurity.conf:

SecAuditEngine On
SecAuditlogParts ABIJDEFHZ
SecAuditLogType Serial

I tried five different values for SecAuditLog:

1. SecAuditLog "C:\waf\logs\modsec_audit.log"
2. SecAuditLog "|C:\waf\rotatelogs.exe C:\waf\logs\modsec_audit.log 86400"
3. SecAuditLog "|C:/waf/rotatelogs.exe C:/waf/logs/modsec_audit.log 86400"
4. SecAuditLog "|C:\waf\cronolog.exe C:\waf\logs\modsec_audit.log"
5. SecAuditLog "|C:/waf/cronolog.exe C:/waf/logs/modsec_audit.log"

Case 1 is working - audit log file is created and records exist.

Cases 2,3,4 and 5 are not working. In debug log (level 9) I receive information:

Audit log: Skipping request since there is nowhere to write to.

In event log (application) i receive following for case 2 (same message is for cases 3,4 and 5 - just value for SecAuditLog is different):

Syntax error in config file C:\Program Files\ModSecurity IIS\modsecurity.conf, line 198: ModSecurity: Failed to open the audit log pipe: C:\waf\rotatelogs.exe C:\waf\logs\modsec_audit.log 86400

Please help - does ModSecurtiyIIS 2.7.7 from above link can work with rotatelogs.exe and cronolog.exe? If answer is yes how to set that? If answer is no is there any alternative to set log rotation for audit log of ModSecurity IIS 2.7.7.

Thank you in advance.

Best regards,
Sasa

[saymne]

Any update?

[neosdutertre]

Hi there,
did you get any information or succeed in log rotation ?

Thanks,
Stephane

[saymne]

Hi,

I didn't get any info about this issue.

Br,
Sasa

[neosdutertre]

thanks for saying.
Too bad it stayed w/o response since one year ...

[zimmerle]

Hi @sayme and @neozure,

There is a branch with some debug code regarding the utilization of mlogc on windows:

https://github.com/SpiderLabs/ModSecurity/tree/testing_win_mlogc

It seems to be a problem regarding permission, however, i was not able to identify. It will be helpful to know if there is an older version of ModSecurity or Windows where this functionality works fine?

[saymne]

Hi,

I used ModSecurity for older and one of latest apach version under windows 2003 server / windows 2008 server and rotatelogs was working fine. I can send you info about these versions if that is required.

Br,
Sasa

[zimmerle]

Hi @saymne,

if you can send me details it will be awesome. ModSecurity uses apr methods to fork and pipe process. Most likely this problem was caused by a change on apr that needs some fix on our side.

[saymne]

Hi,

Rotatelogs is working with following versions:

1. Mod Security2 2.8.0 for Apache 2.2.x on Windows 2008 Server (64-bit)
2. Mod Securtiy2 2.5.13 for Apache 2.0.x on Windows 2003 Server (64-bit)

I hope this information will help.

[victorhora]

Rotatelogs on Windows should be working fine as of v2.8.0. If there's still any problems, please reopen the issue.

[Crusnik-02]

Not working also at apache mod v.2.9.2 - apache fail to load with directive like in case 2-3.