problem with waffle 6.4 on centos 6.5
196 views
Skip to first unread message
James McIntyre
Jan 28, 2015, 3:24:53 PM1/28/15
to waf...@googlegroups.com
I have installed mod_security and waffle.
I am unable to see any events via waffle. I can login to waffle and have
created a sensor and an event feeder.
Data is being collected as noted in the files below.
These are the files:
root xxxxxx /var/log
# ll -d mlog2waffle/
drwxr-xr-x 3 apache root 4096 Jan 28 16:43 mlog2waffle/
root xxxxx /var/log/mlog2waffle
# ll
total 20
drwxr-xr-x 3 apache root 4096 Jan 28 16:43 .
drwxr-xr-x 7 root root 4096 Jan 28 18:24 ..
drwxrwxr-x 3 apache root 4096 Jan 28 16:29 data
-rw-rw-r-- 1 apache root 0 Jan 28 16:43 mlog2waffle.debug
-rw-rw-r-- 1 apache root 0 Jan 28 16:14 mlogc-error.log
-rw-rw-r-- 1 apache root 7228 Jan 28 19:26 modsec_audit.log
-rw-rw-r-- 1 apache root 0 Jan 28 16:43 offset
data/20150128/20150128-1629:
total 16
drwxr-x--- 2 apache apache 4096 Jan 28 16:29 .
drwxr-x--- 16 apache apache 4096 Jan 28 19:26 ..
-rw-r----- 1 apache apache 495 Jan 28 16:29 20150128-162909-VMkOVUrP6dUAAD6yDzwAAAAD
-rw-r----- 1 apache apache 495 Jan 28 16:29 20150128-162909-VMkOVUrP6dUAAD7dUJQAAAAH
data/20150128/20150128-1630:
total 12
drwxr-x--- 2 apache apache 4096 Jan 28 16:30 .
drwxr-x--- 16 apache apache 4096 Jan 28 19:26 ..
-rw-r----- 1 apache apache 2044 Jan 28 16:30 20150128-163032-VMkOqErP6dUAAD6xDV8AAAAC
I am running centos 6.5.
mlog2waffle is running as a daemon but have tried in batch no errors
in mlog2waffle.debug with DEBUG=TRUE
The system log contains the following message when mlog2waffle is
terminated ( either as a daemon or in batch )
kernel: mlog2waffle[2448]: segfault at 275 ip 00007f35f43718aa sp00007fff5697ca68 error 6 in libssl.so.1.0.1e[7f35f432b000+62000
Thoughts on where I should start looking for what I have done wrong ?
Thanks,
Jim Mc....
I am unable to see any events via waffle. I can login to waffle and have
created a sensor and an event feeder.
Data is being collected as noted in the files below.
These are the files:
root xxxxxx /var/log
# ll -d mlog2waffle/
drwxr-xr-x 3 apache root 4096 Jan 28 16:43 mlog2waffle/
root xxxxx /var/log/mlog2waffle
# ll
total 20
drwxr-xr-x 3 apache root 4096 Jan 28 16:43 .
drwxr-xr-x 7 root root 4096 Jan 28 18:24 ..
drwxrwxr-x 3 apache root 4096 Jan 28 16:29 data
-rw-rw-r-- 1 apache root 0 Jan 28 16:43 mlog2waffle.debug
-rw-rw-r-- 1 apache root 0 Jan 28 16:14 mlogc-error.log
-rw-rw-r-- 1 apache root 7228 Jan 28 19:26 modsec_audit.log
-rw-rw-r-- 1 apache root 0 Jan 28 16:43 offset
data/20150128/20150128-1629:
total 16
drwxr-x--- 2 apache apache 4096 Jan 28 16:29 .
drwxr-x--- 16 apache apache 4096 Jan 28 19:26 ..
-rw-r----- 1 apache apache 495 Jan 28 16:29 20150128-162909-VMkOVUrP6dUAAD6yDzwAAAAD
-rw-r----- 1 apache apache 495 Jan 28 16:29 20150128-162909-VMkOVUrP6dUAAD7dUJQAAAAH
data/20150128/20150128-1630:
total 12
drwxr-x--- 2 apache apache 4096 Jan 28 16:30 .
drwxr-x--- 16 apache apache 4096 Jan 28 19:26 ..
-rw-r----- 1 apache apache 2044 Jan 28 16:30 20150128-163032-VMkOqErP6dUAAD6xDV8AAAAC
I am running centos 6.5.
mlog2waffle is running as a daemon but have tried in batch no errors
in mlog2waffle.debug with DEBUG=TRUE
The system log contains the following message when mlog2waffle is
terminated ( either as a daemon or in batch )
kernel: mlog2waffle[2448]: segfault at 275 ip 00007f35f43718aa sp00007fff5697ca68 error 6 in libssl.so.1.0.1e[7f35f432b000+62000
Thoughts on where I should start looking for what I have done wrong ?
Thanks,
Jim Mc....
J. Tozo
Jan 28, 2015, 3:33:31 PM1/28/15
to waf...@googlegroups.com
Hi, i already have weird segfault problems, it was erroneous configuration in my .conf files.
Can you post your mlog2waffle.conf?
--
You received this message because you are subscribed to the Google Groups "waf-fle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waf-fle+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Grato,
Tozo
James McIntyre
Jan 29, 2015, 8:54:02 AM1/29/15
to waf...@googlegroups.com
Tozo:
Here you go.......
# cat /etc/mlog2waffle.conf
# Configuration file for mlog2waffle
# modsecurity need to be configured to log in concurrent mode, example,
# in Modsecurity config use some thing like this:
#
# SecAuditLogParts ABIJDEFGHZ
# SecAuditLogType Concurrent
# SecAuditLog "/var/log/mlogc/mlogc-index"
# SecAuditLogStorageDir /var/log/mlogc/data
#
# In this way you can set mlog2waffle to tail mode (see below) and
# check file continuously, sending events in real time to WAF-FLE, or
# run a scheduled "batch" mode.
#
# Requirements: File::Tail perl module, use your own or the provided
# with WAF-FLE package (you may need to ajust the path in mlogc-waffle).
# Define the complete URI of WAF-FLE controller, http or https
$CONSOLE_URI = "https://localhost/controller/";
# Define username used to put events on WAF-FLE for this sensor
$CONSOLE_USERNAME = "xxxxxx";
# Define password used to put events on WAF-FLE for this sensor
$CONSOLE_PASSWORD = "xxxxxx";
# $MODSEC_DIRECTORY is where the concurrent audit logs are stored.
# In modsecurity configuration is defined by SecAuditLogStorageDir directive
$MODSEC_DIRECTORY = "/var/log/mlog2waffle/data/";
# $INDEX_FILE is defined by SecAuditLog modsecurity directive, it is a index
# file of events generated by concurrent log type
$INDEX_FILE = "/var/log/mlog2waffle/modsec_audit.log";
# $ERROR_LOG is a mlogc-waffle error log, write permission is needed.
$ERROR_LOG = "/var/log/mlog2waffle/mlogc-error.log";
# Define the execution mode:
# - "tail": for run continuously, waiting for new entries on log file;
# - "batch": for run and exit at end, but recording (offset file) the
# position in the last run, speeding up next execution. You can schedule
# the mlogc-waffle in crontab to run periocally (for example, each 5min).
$MODE = "tail";
# Set $FULL_TAIL = "TRUE" to make tail mode read full file at start, set to
# "FALSE" to start to read at end of file.
$FULL_TAIL = "FALSE";
# $PIDFILE set the file used to store process id when running in tail mode, forked as a daemon
$PIDFILE = "/var/run/mlog2waffle.pid";
# Define offset file, used as a checkpoint for batch mode, it need permission
# to write in this file.
$OFFSET_FILE = "/var/log/mlog2waffle/offset";
# Set the max number of threads used to send parallel events do WAF-FLE,
# if you need more performance to push events to WAF-FLE, try to increase
# to a higher value. Remember, higher number of threads, higher CPU usage.
$THREADMAX = 2;
# Set $CHECK_CONNECTIVITY to "TRUE" to check connectivity with WAF-FLE before
# send any event to it. Set to "FALSE" to avoid the check, or for use with
# another console.
$CHECK_CONNECTIVITY = "TRUE";
# If $DEBUG is set to "TRUE" it will write in $DEBUG_FILE the request and response
# between mlogc-waffle and WAF-FLE
$DEBUG = "FALSE";
# $DEBUG_FILE
$DEBUG_FILE = "/var/log/mlog2waffle/mlog2waffle.debug";
root xxxx /root
#
James McIntyre
Jan 29, 2015, 10:33:55 AM1/29/15
to waf...@googlegroups.com
# cat /etc/mlog2waffle.conf
# Configuration file for mlog2waffle
# modsecurity need to be configured to log in concurrent mode, example,
# in Modsecurity config use some thing like this:
#
# SecAuditLogParts ABIJDEFGHZ
# SecAuditLogType Concurrent
# SecAuditLog "/var/log/mlogc/mlogc-index"
# SecAuditLogStorageDir /var/log/mlogc/data
#
# In this way you can set mlog2waffle to tail mode (see below) and
# check file continuously, sending events in real time to WAF-FLE, or
# run a scheduled "batch" mode.
#
# Requirements: File::Tail perl module, use your own or the provided
# with WAF-FLE package (you may need to ajust the path in mlogc-waffle).
# Define the complete URI of WAF-FLE controller, http or https
$CONSOLE_URI = "https://localhost/controller/";
# Define username used to put events on WAF-FLE for this sensor
$CONSOLE_USERNAME = "xxxxx";
# Define password used to put events on WAF-FLE for this sensor
$CONSOLE_PASSWORD = "xxxxx";
On Wednesday, January 28, 2015 at 3:33:31 PM UTC-5, J. Tozo wrote:
J. Tozo
Jan 29, 2015, 1:10:35 PM1/29/15
to waf...@googlegroups.com
Im afraid i couldnt help you here, your configuration looks OK, probably you will need to get the full core dump to investigate this deeper, or try another version of perl or libssl.
Im actually using mlogc to populate the waffle.
Klaubert Herr da Silveira
Feb 2, 2015, 7:39:35 PM2/2/15
to waf...@googlegroups.com
James,
Please, check the version of libwww and LWP::UserAgent, we need recent version (while I expect that centos/rhel 6.5 has a recent enough version).Klaubert
Reply all
Reply to author
Forward
0 new messages