ModSecurity and Logrotate

As you may have read, we are using ModSecurity to filter out bad HTTP requests on our servers. In this little post you will learn how to integrate ModSecurity and Logrotate to work effectively together.

One of this technology’s fallback is that it logs an incredible amount of data to /var/log/modsec_audit.log (all this data is useful for debugging purposes, so we do not want to avoid logging at all)… The size of this file at the end of the day is HUGE…

To avoid this we have created a new logrotate script that handles all the work. To install it under CentOS type

vi /etc/logrotate.d/modsecurity

then insert the following lines:

/var/log/modsec_audit.log {
    rotate 1
    compress
    missingok
    notifempty
    sharedscripts
    postrotate
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
    endscript
}

No need to restart, it does everything when logrotate runs by itself…

To complete the scenario, let’s have a look to the lines we have written:

rotate 1

tells logrotate to keep ONLY 1 copy of the file. This means that today at 4 am logrotates deletes the file modsec_audit.log.1.gz and creates a new one starting from modsec_audit.log.

compress

means that we do want a compressed archive of the file

postrotate
    /sbin/service httpd reload > /dev/null 2>/dev/null || true
endscript

forces a restart of Apache.

3 Comments

  1. Hi,
    “/sbin/service httpd reload” do not force Apache to restart (stop and start) but only to read and apply file configurations without down times.
    Regards,
    L.

    Reply
  2. Great! What about adding an upper size limit to that file?
    Can I simply add a line ‘size 5M’ to the above config?
    Thank you Simone!

    Reply

Leave a Comment.