Apache/ModSecurity issue. Invalid command 'SecAuditLogFormat' error

needhelppp

Verified User
Joined
Jul 1, 2020
Messages
88
Hello. I have this major issue here, and I don't know where else to ask.
I have updated Apache, and all the mess started. I played around with various settings, nothing helped.

I had to REINSTALL the Directadmin server, and I already have websites stalled, and email not working. Everything is stuck, because the Apache wont start anymore.. It seems that happend (i noticed after the reinstall), after installing ModSecurity and comodo ruleset.

It gives me error:
httpd[602792]: AH00526: Syntax error on line 12 of /etc/httpd/conf/extra/httpd-modsecurity.conf:
httpd[602792]: Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module not included in the server configuration

The line 12 in that file is: SecAuditLogFormat JSON

I tried to find out more about his error, but could not find anything usefull.
Found this (about Nginx):

I have tried to rewrite apache configs, but then all this just keeps LOOPING, until I kill the process ( I guess its because Apache is not running?)
Also some of the Builds are stucking too. Not sure what is going on, They stuck, and I have to reload the page, and then Im not sure if it finished or not... Weird stuff.

I have set the modsecurity to yes
and modsecurity_ruleset to comodo

And Build (or at least tried) the Build LibModSecurity (3.0.4), Build ModSecurity (2.9.3) and Build ModSecurity Rules
Do I need all 3 of these Build?

Please give an advice on what to do, everything is stopped, cannot continue any of my work. It seems like software bug. Please help!

Thank You.
 
Try:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build modsecurity

If it does not help - it mean your system is missing yajl-devel packakge for some reason.
 
Hey, Martynas! I have tried these commands earlier. they did not help.
How would one install that yajl-devel package, to check if it helps?

At this point I have restored the VPS from backup, but I would investigate further in the future.

Thanks.
 
Hi.
So now, after VPS restoration from backup, I again have these updates available in CustomBuild:
Nghttp2 - 1.40.0 1.41.0
PCRE2 - 10.34 10.35
AWstats - 7.7 7.8
Exim - 4.93.0.4 4.94
exim.conf - 4.5.23 4.5.25
PHP 7.3 - 7.3.18 7.3.19

One of these updates will mess up system (Apache/Modsecurity) again. How do I avoid that?

And You were right, my DA server did not have that package you mentioned. Any ideas why? Maybe more people will have/are having the same issue?
Installed:
yajl-devel.x86_64 0:2.0.4-4.el7
Dependency Installed:
yajl.x86_64 0:2.0.4-4.el7

What would be my next move?

Thank You!
 
I have the same issue.
I installed the yajl, did the build modsecurity, rewrite confs but the issue remains.

Jul 03 09:12:09 xxxxx httpd[430994]: AH00526: Syntax error on line 12 of /etc/httpd/conf/extra/httpd-modsecurity.conf:
Jul 03 09:12:09 xxxxx httpd[430994]: Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module not included in the server configuration
Jul 03 09:12:09 xxxxx systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 03 09:12:09 xxxxx systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 03 09:12:09 xxxxx systemd[1]: Failed to start The Apache HTTP Server.
Jul 03 09:13:01 xxxxx systemd[1]: httpd.service: Unit cannot be reloaded because it is inactive.

How can I fix this?
 
I have the same issue.
I installed the yajl, did the build modsecurity, rewrite confs but the issue remains.

Jul 03 09:12:09 xxxxx httpd[430994]: AH00526: Syntax error on line 12 of /etc/httpd/conf/extra/httpd-modsecurity.conf:
Jul 03 09:12:09 xxxxx httpd[430994]: Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module not included in the server configuration
Jul 03 09:12:09 xxxxx systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 03 09:12:09 xxxxx systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 03 09:12:09 xxxxx systemd[1]: Failed to start The Apache HTTP Server.
Jul 03 09:13:01 xxxxx systemd[1]: httpd.service: Unit cannot be reloaded because it is inactive.

How can I fix this?
Was it yajl-devel? CentOS6? If it's centos6, the one you installed is too old, and CB needs to be used for it.
 
I'm experiencing same issue - Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module not included in the server configuration .
So for now,. I've set mod_security=no and rebuilt apache.
But that's a workaround to keep apache still working. that's not a real solution.
 
I'm experiencing same issue - Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module not included in the server configuration .
So for now,. I've set mod_security=no and rebuilt apache.
But that's a workaround to keep apache still working. that's not a real solution.
I am not sure why no one created a ticket on this yet :) Are you sure you rebuilt modsecurity?
 
The first (and restored) server is Centos 7. I had tried to reinstall everything on Centos 8, but got stuck with the same issue, so I had to restore a VPS. So the problem is on Centos 7 and Centos 8 as well.

I replied to an old ticket of mine, telling about my issue and that Im sure there are/will be more people with same problem, but I was told that my license does not have a support included... I Have 2 personal licenses, apparently that is no good enough to report issues and get assistance. I assume others have same reasons.

P. S. I have not installed yajl-devel on Centos 8, at that point I did not know that this might be a solution, so I cannot confirm if it fixes the issue on Centos 8.
I have installed it on Centos 7 now, but other person said that does not help, so I'm afraid to update these things:
Nghttp2 - 1.40.0 1.41.0
PCRE2 - 10.34 10.35
AWstats - 7.7 7.8
PHP 7.3 - 7.3.18 7.3.19
(I have updated the Exim succesfully).
 
Last edited:
I’ll make you an exception to report what was it. PM me the details. I am lmost sure “./build modsecurity” should fix it, but we will see.
 
I am not sure why no one created a ticket on this yet :) Are you sure you rebuilt modsecurity?
I've rebuilt modsecurity, I've rebuilt apache.
no luck.

I even removed the custombuild directory files, just kept the build and options.conf files, ran ./build update and then ./build apache.

Again. no luck.

so I now I'm now back to 'only apache' with no modsecurity.
 
I've rebuilt modsecurity, I've rebuilt apache.
no luck.

I even removed the custombuild directory files, just kept the build and options.conf files, ran ./build update and then ./build apache.

Again. no luck.

so I now I'm now back to 'only apache' with no modsecurity.
PM me as well if you wish :)
 
I have PM'ed, not sure if you have received those messages? What other info could I provide to find out what the issue here is?
 
I had no access information in those PMs, so I couldn't assist without it.

Other cases PMed, was CentOS 6 and they had yajl-devel installed manually, not through CB.

So, a fix was as simple as:
Code:
rpm -e yajl-devel yajl
cd /usr/local/directadmin/custombuild
./build update
./build modsecurity

I think most of you run centos6? :)
 
We just had a similar issue on CentOS 7 servers. After upgrading to Apache 2.4.20 ModSecurity suddenly broke. This didn't happen on CentOS 8. As we were in a hurry (this was a mass-upgrade on all our servers), I removed SecAuditLogFormat and restarted httpd.

We don't have yajl or yajl-devel on these servers.

SecAuditLogFormat is also in the default configuration. That worries me.
 
I think I get it now. Not too happy about the chosen implementation though.

We're running our upgrades through CB. I would have expected CB to handle any changes CB gets in its releases. The SecAuditLogFormat JSON requirement should have a cleaner update path.

In our case I believe the solution is to run rebuild ModSecurity on all our servers.

Can you please confirm?
 
In our case I believe the solution is to run rebuild ModSecurity on all our servers.

Can you please confirm?
I may confirm "./build modsecurity" should fix it. But "./build modsecurity" shouldn't have broken it though? :)
 
It didn't break it. It didn't run.

We run update_versions when updating our servers. In version 2509 SecAuditLogFormat JSON was added. In 2511 yajl-devel became part of the ModSecurity installation. I don't think either of these updates make sure that CB installs yajl-devel with update_versions, even though the configuration gets changed. You have to specifically run ./build modsecurity.

I don't think that's right and I'd like to confirm if this is the case.

We will force ./build modsecurity when upgrading the remaining set of servers, but that shouldn't be needed.
 
"./build update_versions" shouldn't update modsecurity config if no related items got updated. What was updated in the list? Didn't you run "./build rewrite_confs"?

Thank you for the information!
 
The same situation here, ./build modsecurity , fix the problem, but we discover the problem after:

- Install new versions of php
- Change the IP of a server (using the script of DA for this)

I think if the apache template file of the modsecurity included in custombuild changes but a recompile of modsecurity isnt included or forced, you will face the problem with any action related to the apache config, and the ./build rewrite_confs is a very popular command to face a problem or any change.

Regards
 
Back
Top