Nginx and modsecurity logs not appearing in daily logwatch output.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Nginx and modsecurity logs not appearing in daily logwatch output.
I have done only changes is the mailto and Detail = High
in this file /usr/share/logwatch/default.conf. The problem now is that I am running nginx with modsecurity but I dont see webserver logs to be part of daily logwatch which is emailed to me.
I have done only changes is the mailto and Detail = High
in this file /usr/share/logwatch/default.conf. The problem now is that I am running nginx with modsecurity but I dont see webserver logs to be part of daily logwatch which is emailed to me.
That's a directory on my server, containing a file named logwatch.conf
From man logwatch
Code:
The directory /usr/share/doc/logwatch-* contains several files with additional documentation:
HOWTO-Customize-LogWatch
Logwatch conf files are typically well-documented within, but it always helps to read the directions.
Perhaps nginx log files are not where logwatch is looking for them?
Hi Sean,
I am not too sure on the settings on this file
Quote:
/usr/share/logwatch/default.conf
. I actually have this /var/log/nginx with both access.log and error.log in side this folder. Also in this folder /var/log/modsec I have this files audit.log. I thought logwatch will collect everything from /var/log ?
Hi Sean,
I am not too sure on the settings on this file .
Code:
/usr/share/logwatch/default.conf
I actually have this /var/log/nginx with both access.log and error.log in side this folder. Also in this folder /var/log/modsec I have this files audit.log. I thought logwatch will collect everything from /var/log ?
I'm not sure either, that's why I pointed you to the documentation that should be in
and this to be working now so other could benefit from this too but I am still looking into how to bring modsecurity logs into logwatch. I saw something like below output.
That means the web server responded to 14239 httpd requests, of which 10006 were found, 1092 were redirects, 3139 were not found (this is where requests for phpmyadmin would be counted) and 2 were forbidden.
I seldom peruse the detail listings of the "Requests with error response codes" -- only if something is not working as it should.
I seldom peruse the detail listings of the "Requests with error response codes" -- only if something is not working as it should.
. So how will this logs help ? Do you have people attemping the mod_proxy ? Anything else I should be on the look out and to be alerted via this nginx logs?
I seldom peruse the detail listings of the "Requests with error response codes" -- only if something is not working as it should.
So how will this logs help ? Do you have people attemping the mod_proxy ? Anything else I should be on the look out and to be alerted via this nginx logs?
Exactly what I said. (Presuming still that we're talking about the httpd section of the Logwatdh email...you didn't answer that question) In that example there are 3141 "Requests with error response codes" 3139 of those are "not found" errors. Those are typically some lowlife attempting to find access to file or directory that doesn't exist, like a phpmyadmin directory or a wp-admin file on a non-WordPress site. There is A) No real harm in those responses and B) nothing to be done to prevent them, short of unplugging the CAT-5 cable, so I seldom even look at them. If something's not working as it should, then the answer might be in that listing, but in those cases, I've probably already used the httpd error logs to figure out the problem, so reading the entries in the Loqwatch report the next day is also (to me) unnecessary.
Now, I know these things because I used to read the entire email every day. I'm not saying you shouldn't do that. I"m just saying you need to understand that a reported cracking attempt or "error response" listing in Logwatch is not necessarily an indicator of a problem that needs your attention.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.