LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-30-2019, 10:19 AM   #1
newbie14
Member
 
Registered: Sep 2011
Posts: 614

Rep: Reputation: Disabled
Nginx and modsecurity logs not appearing in daily logwatch output.


I have done only changes is the mailto and Detail = High
in this file /usr/share/logwatch/default.conf. The problem now is that I am running nginx with modsecurity but I dont see webserver logs to be part of daily logwatch which is emailed to me.
 
Old 05-30-2019, 05:36 PM   #2
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,778

Rep: Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263
Quote:
Originally Posted by newbie14 View Post
I have done only changes is the mailto and Detail = High
in this file /usr/share/logwatch/default.conf. The problem now is that I am running nginx with modsecurity but I dont see webserver logs to be part of daily logwatch which is emailed to me.
That's a directory on my server, containing a file named logwatch.conf

From man logwatch
Code:
       The directory /usr/share/doc/logwatch-* contains several files with additional documentation:
       HOWTO-Customize-LogWatch
Logwatch conf files are typically well-documented within, but it always helps to read the directions.
Perhaps nginx log files are not where logwatch is looking for them?
 
Old 05-31-2019, 11:24 AM   #3
newbie14
Member
 
Registered: Sep 2011
Posts: 614

Original Poster
Rep: Reputation: Disabled
Hi Sean,
I am not too sure on the settings on this file
Quote:
/usr/share/logwatch/default.conf
. I actually have this /var/log/nginx with both access.log and error.log in side this folder. Also in this folder /var/log/modsec I have this files audit.log. I thought logwatch will collect everything from /var/log ?
 
Old 05-31-2019, 03:41 PM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,778

Rep: Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263
Quote:
Originally Posted by newbie14 View Post
Hi Sean,
I am not too sure on the settings on this file .
Code:
 /usr/share/logwatch/default.conf
I actually have this /var/log/nginx with both access.log and error.log in side this folder. Also in this folder /var/log/modsec I have this files audit.log. I thought logwatch will collect everything from /var/log ?
I'm not sure either, that's why I pointed you to the documentation that should be in
Code:
/usr/share/doc/logwatch-*/HOWTO-Customize-LogWatch
...have you read that?
 
Old 06-02-2019, 11:32 AM   #5
newbie14
Member
 
Registered: Sep 2011
Posts: 614

Original Poster
Rep: Reputation: Disabled
Hi Sean,
I have read the link you gave me and further to that I found this link too and this to be working now so other could benefit from this too but I am still looking into how to bring modsecurity logs into logwatch. I saw something like below output.
Quote:
6.39 MB transferred in 781 responses (1xx 0, 2xx 531, 3xx 22, 4xx 225, 5xx 3)
94 Images (0.10 MB),
523 Content pages (5.61 MB),
1 Redirects (0.00 MB),
4 mod_proxy requests (0.00 MB),
159 Other (0.68 MB)

Connection attempts using mod_proxy:
95.213.177.123 -> check.proxyradar.com:80: 1 Time(s)
95.213.187.190 -> check.best-proxies.ru:80: 3 Time(s)

Requests with error response codes
400 Bad Request
check.best-proxies.ru:80: 3 Time(s)
check.proxyradar.com:80: 1 Time(s)
I am wondering how come in a short span it shows 781 responses could it being attack? I dont quite this mod_proxy thing?
 
Old 06-02-2019, 12:46 PM   #6
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,778

Rep: Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263
Is that the first part of the httpd section? For yesterday, mine says:
Code:
1656.77 MB transferred in 14239 responses  (1xx 0, 2xx 10006, 3xx 1092, 4xx 3139, 5xx 2)
That means the web server responded to 14239 httpd requests, of which 10006 were found, 1092 were redirects, 3139 were not found (this is where requests for phpmyadmin would be counted) and 2 were forbidden.

I seldom peruse the detail listings of the "Requests with error response codes" -- only if something is not working as it should.
 
Old 06-02-2019, 01:03 PM   #7
newbie14
Member
 
Registered: Sep 2011
Posts: 614

Original Poster
Rep: Reputation: Disabled
Hi Sean,
What do you mean by
Quote:
I seldom peruse the detail listings of the "Requests with error response codes" -- only if something is not working as it should.
. So how will this logs help ? Do you have people attemping the mod_proxy ? Anything else I should be on the look out and to be alerted via this nginx logs?
 
Old 06-02-2019, 03:15 PM   #8
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,778

Rep: Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263
Quote:
Originally Posted by newbie14 View Post
Hi Sean,
What do you mean by.
Quote:
I seldom peruse the detail listings of the "Requests with error response codes" -- only if something is not working as it should.
So how will this logs help ? Do you have people attemping the mod_proxy ? Anything else I should be on the look out and to be alerted via this nginx logs?
Exactly what I said. (Presuming still that we're talking about the httpd section of the Logwatdh email...you didn't answer that question) In that example there are 3141 "Requests with error response codes" 3139 of those are "not found" errors. Those are typically some lowlife attempting to find access to file or directory that doesn't exist, like a phpmyadmin directory or a wp-admin file on a non-WordPress site. There is A) No real harm in those responses and B) nothing to be done to prevent them, short of unplugging the CAT-5 cable, so I seldom even look at them. If something's not working as it should, then the answer might be in that listing, but in those cases, I've probably already used the httpd error logs to figure out the problem, so reading the entries in the Loqwatch report the next day is also (to me) unnecessary.

Now, I know these things because I used to read the entire email every day. I'm not saying you shouldn't do that. I"m just saying you need to understand that a reported cracking attempt or "error response" listing in Logwatch is not necessarily an indicator of a problem that needs your attention.
 
Old 06-02-2019, 11:23 PM   #9
newbie14
Member
 
Registered: Sep 2011
Posts: 614

Original Poster
Rep: Reputation: Disabled
Hi Sean,
Yes we are still talking about httpd section but in this case its nginx.
Code:
(Presuming still that we're talking about the httpd section of the Logwatdh email...you didn't answer that question)
. I dont get you which question you mean I did not answer you sorry maybe I might miss something there.
How do you do this
Code:
I've probably already used the httpd error logs to figure out the problem,
cause there are many entries what tool you use to highlight or alert on this ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: ModSecurity and nginx LXer Syndicated Linux News 0 09-24-2018 06:11 PM
Modsecurity and Nginx imadsani Linux - Security 1 09-12-2018 11:05 AM
LXer: Nginx with libmodsecurity and OWASP ModSecurity Core Rule Set on Ubuntu 16.04 LXer Syndicated Linux News 0 06-06-2017 05:45 PM
LXer: How to Install Nginx with ModSecurity on Ubuntu 15.04 LXer Syndicated Linux News 0 10-21-2015 03:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration