search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.25k stars 1.61k forks source link

ModSecurity IIS startup message is flooding the event log #784

Open zimmerle opened 10 years ago

zimmerle commented 10 years ago

It seems like ModSecurity for IIS is logging its startup messages way too much, flooding the logs with messages similar to the one bellow:

[...] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[...] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[...] ModSecurity: PCRE compiled version="8.31 "; loaded version="8.31 2012-07-06"
[...] ModSecurity: LUA compiled version="Lua 5.1"
[...] ModSecurity: LIBXML compiled version="2.9.1

IIS threads sleeps from time to time, waking up once a request is received. Once started, the thread loads ModSecurity and consequently print these message on the event logs once more, flooding the event logs.

Those events should be treated in a clever way, not changing the default behavior of ModSecurity (which is platform independent) but also not flooding the event log.

zimmerle commented 10 years ago

Similar to: #675

naziml commented 10 years ago

I would also consider adding a single event when ModSecurity for IIS is actually enabled in config. I would log the config file (with full path) used for ModSecurity in this event.