• Home »
  • Security »
  • ModSecurity: Audit Log: Failed To Create Subdirectories: /var/asl/data/audit (Permission Denied)

ModSecurity: Audit Log: Failed To Create Subdirectories: /var/asl/data/audit (Permission Denied)

If you performed a default install of ModSecurity but never modified the configuration or completed any other steps the chances are that you are not logging any ModSecurity items. Typically you just need to add a directory structure with the proper permissions and then ModSecurity will do the rest as far as generating the files themselves.

ModSecurity Audit Log Failed To Create Subdirectories:

Below is a sample of an Apache error log displaying the clue that probably led you to this article. As you can see below it simply lets you know that ModSecurity is unable to create the necessary directories to then be able write log files.

[Mon Jan 10 00:21:21 2011] [error] [client 10.18.189.254] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110110/20110110-0021 (Permission denied) [hostname "www.example.com"] [uri "/wp-app.php/service"] [unique_id "@et4pEMSvfoAACxtES0AAAA9"]
[Mon Jan 10 00:42:45 2011] [error] [client 10.18.189.254] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110110/20110110-0042 (Permission denied) [hostname "www.example.com"] [uri "/wp-app.php/service"] [unique_id "Ro391EMSvfoAAC3420AAAAAB"]
[Mon Jan 10 00:43:15 2011] [error] [client 10.18.189.254] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110110/20110110-0043 (Permission denied) [hostname "www.example.com"] [uri "/wp-app.php/service"] [unique_id "SE5tSkMSvfoAADbvW7QAAAAb"]
[Mon Jan 10 00:59:41 2011] [error] [client 10.18.189.254] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110110/20110110-0059 (Permission denied) [hostname "www.example.com"] [uri "/wp-app.php/service"] [unique_id "gwytoEMSvfoAAD8lFyoAAAAg"]
[Mon Jan 10 01:09:17 2011] [error] [client 10.18.189.254] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110110/20110110-0109 (Permission denied) [hostname "www.example.com"] [uri "/wp-app.php/service"] [unique_id "pW0anUMSvfoAADgBd4QAAAAq"]

Likely you don’t even have a /var/asl directory yet so use the below syntax to create the asl directory followed by a data sub directory and then the audit, msa, and security directories within the data sub directory.

Create ModSecurity Audit Log Directory Structure:

[root@dev ~]# mkdir /var/asl /var/asl/data /var/asl/data/audit /var/asl/data/msa /var/asl/data/security
[root@dev ~]#

After creating the directories you need to make sure they are owned by the same user that runs Apache which will typically be the apache user. On CentOS Linux you can verify which user is running Apache by typing “ps -ef | grep http” and the far left column will be the user that is running the process. Other Linux distributions are similar but the switches provided to ps may be a bit different such as “-aux” or similar. The -R switch following the chown command below tells chown to apply the changes recursively to everything located in the data directory.

Modify ModSecurity Audit Log Directories Owner:

[root@dev ~]# chown -R apache.apache /var/asl/data/
[root@dev ~]#

Once the directories have been added and the ownership of the proper directories has been modified you need to restart Apache for the changes to take effect. Below is an example of restarting Apache on CentOS Linux.

Restart Apache On CentOS Linux:

[root@dev ~]# /etc/init.d/httpd restart
Stopping httpd: [  OK  ]
Starting httpd: [  OK  ]
[root@dev ~]#

The below output shows that once Apache was restarted and ModSecurity needed to write output that it is now able to do so. New directories and files can be generated in the directories, such as the audit directory, and will be named by date.

Audit Log Direcotires Generated By ModSecurity:

[root@dev data]# ls -alh /var/asl/data/audit/
total 12K
drwxr-xr-x 3 apache apache 4.0K Mar 17 18:26 .
drwxrwxr-x 5 apache apache 4.0K Mar 17 18:23 ..
drwxr-x--- 3 apache apache 4.0K Mar 17 18:26 20110317
[root@dev data]# ls -alh /var/asl/data/audit/20110317/
total 12K
drwxr-x--- 3 apache apache 4.0K Mar 17 18:26 .
drwxr-xr-x 3 apache apache 4.0K Mar 17 18:26 ..
drwxr-x--- 2 apache apache 4.0K Mar 17 18:26 20110317-1826
[root@dev data]# ls -alh /var/asl/data/audit/20110317/20110317-1826/
total 12K
drwxr-x--- 2 apache apache 4.0K Mar 17 18:26 .
drwxr-x--- 3 apache apache 4.0K Mar 17 18:26 ..
-rw-r----- 1 apache apache  713 Mar 17 18:26 20110317-182658-OxhkjEMSvfoAAFrCbSgAAAAR
[root@dev data]#

Also to show an example of the contents of files in the audit directory you can view the below example of the file listed in the 20110317-1826 directory above.

Example Contents Of ModSecurity Audit Log File:

[root@dev 20110317-1826]# less 20110317-182658-OxhkjEMSvfoAAFrCbSgAAAAR
--dc59f017-A--
[17/Mar/2011:18:26:58 --0500] OxhkjEMSvfoAAFrCbSgAAAAR 192.18.189.254 38716 192.18.189.254 443
--dc59f017-B--
GET /wp-app.php/service HTTP/1.1
Host: www.example.com
Accept: */*

--dc59f017-F--
HTTP/1.1 403 Forbidden
Set-Cookie: PHPSESSID=8xxxx2u9nv4axxxxxxxxx196fdv3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 139
Content-Type: text/plain; charset=UTF-8

--dc59f017-H--
Apache-Handler: php5-script
Stopwatch: 1300577218225292 526434 (1052 1060 525224)
WAF: ModSecurity for Apache/X.XX.XXX (http://www.modsecurity.org/); 201222271602.
Server: Apache/X.XX.XXX (CentOS)

--dc59f017-Z--
[root@dev 20110317-1826]#

You should no longer receive the “Audit Log: Failed To Create Subdirectories” error messages in the HTTPD error log.


List Price: $49.95 USD
New From: $43.00 USD In Stock
Used from: $60.41 USD In Stock


List Price: $59.95 USD
New From: $21.10 USD In Stock
Used from: $19.51 USD In Stock

Share