Wondering what the general consensus is with regards to mod_ruid2 and mod_security logging and user's quota.
With the way mod_security is logging, it creates JSON files within the path - /var/log/modsec_audit/%user% - which can grow to be rather large. And all of the files are owned by %user%. Assuming you have the full server under the / partition (which maybe is where I goofed?) then these files will eat into the user's quota.
This is really my first foray in with mod_ruid2. One option I'm considering is to just disable mod_ruid2.
I generally prefer having all of the mod_security audit log information in one file - i.e. /var/log/httpd/modsec_audit.log - but from the best I can tell, because mod_ruid2 is involved each VirtualHost can't get a lock on the file for writing.
How is everyone else dealing with a substantially large /var/log/modsec_audit (and user owned) directories?
Are you using mod_ruid2?
With the way mod_security is logging, it creates JSON files within the path - /var/log/modsec_audit/%user% - which can grow to be rather large. And all of the files are owned by %user%. Assuming you have the full server under the / partition (which maybe is where I goofed?) then these files will eat into the user's quota.
This is really my first foray in with mod_ruid2. One option I'm considering is to just disable mod_ruid2.
I generally prefer having all of the mod_security audit log information in one file - i.e. /var/log/httpd/modsec_audit.log - but from the best I can tell, because mod_ruid2 is involved each VirtualHost can't get a lock on the file for writing.
How is everyone else dealing with a substantially large /var/log/modsec_audit (and user owned) directories?
Are you using mod_ruid2?