ModSecurity on Web Panel shows no logs

[Tiv]

DA Controls Panel doesn't show any logs for ModSecurity. However, there are modesc files in /var/log/httpd/
Here is the result of `ls -l /var/log/modsec*`
-rw-r----- 1 root root 1991968 May 14 20:37 /var/log/httpd/modsec_audit.log
-rw-r----- 1 root root 4588969 Apr 21 03:43 /var/log/httpd/modsec_audit.log-20240421
-rw-r----- 1 root root 5006748 Apr 28 03:06 /var/log/httpd/modsec_audit.log-20240428
-rw-r----- 1 root root 6631268 May 5 03:26 /var/log/httpd/modsec_audit.log-20240505
-rw-r----- 1 root root 5688488 May 12 03:14 /var/log/httpd/modsec_audit.log-20240512
-rw-r----- 1 root root 0 Apr 28 03:16 /var/log/httpd/modsec_debug.log
-rw-r----- 1 root root 0 Mar 31 03:51 /var/log/httpd/modsec_debug.log-20240407
-rw-r----- 1 root root 0 Apr 7 03:25 /var/log/httpd/modsec_debug.log-20240414
-rw-r----- 1 root root 0 Apr 14 03:15 /var/log/httpd/modsec_debug.log-20240421
-rw-r----- 1 root root 0 Apr 21 03:47 /var/log/httpd/modsec_debug.log-20240428

 

[JerryG]

We have encountered this same issue on a number of servers as well.

 

[JerryG]

It shouldn't matter as log file ownership and permissions are the same, but our nginx_apache servers seem unaffected. Only a number of our pure Apache machines have this issue. Update and conf rewrite didn't help.

 

[fln]

Please open a support tickets and we will investigate it further. It works as expected in our testing environment.

 

[fln]

Thanks for reporting it in the ticketing system.

The root cause for this issue was unexpected date format in modsec logs. All servers having GMT negative time zones triggers a modsecurity bug and prints malformed time-zone offset. For example EDT is reported as --0400 instead of -0400. An update to DA is released to support parsing malformed modsecurity log timestamps.

 

[JerryG]

Awesome. Thanks for the update!

 

[Tiv]

Yup, it works. Thanks