waf-fle icon indicating copy to clipboard operation
waf-fle copied to clipboard

Published 20 hours ago verified publisher icon klaubert

Waf-fle controller returns http response code 405

Open alvarowe opened this issue 9 years ago • 7 comments

Hi ! I've spent 2 days trying to get my mlogc to Waf-fle(Nginx+php-fpm) working but no way :(

The farest I've reached, I've met this 405 response code.

My config :8ball: ................................................................................................. Client-sensor side: .................................................................................................

Relevant mlogc.conf

CollectorRoot "/usr/local/apache/logs/mlogc" ConsoleURI "http://waffle.mydomain.net:81/controller/" SensorUsername "sensorXX" SensorPassword "mypasswd"

Relevant modsec conf

SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABIDEFGHZ SecAuditLogType Concurrent SecAuditLogStorageDir /usr/local/apache/logs/mlogc/data SecDebugLogLevel 3 SecAuditLog logs/modsec_audit.log

modsec pushed to mlogc by cron

*/5 * * * * /usr/local/sbin/push-mlogc.sh > /tmp/mlog.log 2>&1

................................................................................................. Server Waf-fle side: .................................................................................................

mysql -e "select * from sensors;" waffle
+-----------+-------+----------+--------------+-------------+------+---------+---------------+------------------+ | sensor_id | name | password | IP | description | type | status | client_ip_via | client_ip_header | +-----------+-------+----------+--------------+-------------+------+---------+---------------+------------------+ | 1 | sensorXX | mypasswd | x.y.z.w | cp500 | 1 | Enabled | 1 | x.y.z.w | +-----------+-------+----------+--------------+-------------+------+---------+---------------+------------------+

The collecting takes place each 5minutes (as cron shows)

And server wafle shows then multiple :::

"PUT /controller/ HTTP/1.1" 405 172 "-" "-"

And Sendor-side shows at debug level log :::

[Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN Date: Tue, 19 May 2015 14:35:02 GMT [Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN Content-Type: text/html [Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN Content-Length: 172 [Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN Connection: keep-alive [Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN [Tue May 19 16:35:07 2015] [5] [538981/7fbd00000ed0] CURL: DATA_IN [Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: Connection #0 to host waffle.mydomain.net left intact [Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] Request returned with status "405 Not Allowed": VVlAPiU7H6oAClzXTzMAAAAB [Tue May 19 16:35:07 2015] [2] [538981/7fbd00000ed0] Flagging server as errored after failure to submit entry VVlAPiU7H6oAClzXTzMAAAAB with HTTP response code 405: Not Allowed [Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] Sleeping for 50 msec.

........I am completely dumb and unable to get it working :(

alvarowe avatar May 19 '15 14:05 alvarowe

hi,

doesn't yet work with nginx+php-fpm you need install your collector server with apache and php as an apache module

https://github.com/klaubert/waf-fle/issues/1

dmitrijn avatar May 19 '15 15:05 dmitrijn

:( So the 405 Waf-fle response code ir right that ? What is exactly the reason if you know? I mean, the code does not seem quite difficult to hack .... I'll try and have a look at it to see If I could do something

Anyway I'll try Apache and wait for the php-fpm

alvarowe avatar May 21 '15 06:05 alvarowe

Currently the FPM lack some variable present in Apache. I expect to start working on this in few weeks, as well some other features.

Best regards,

Klaubert

On Thu, May 21, 2015 at 3:39 AM, alvarowe [email protected] wrote:

:( So the 405 Waf-fle response code ir right that ? What is exactly the reason if you know? I mean, the code does not seem quite difficult to hack .... I'll try and have a look at it to see If I could do something

Anyway I'll try Apache and wait for the php-fpm

— Reply to this email directly or view it on GitHub https://github.com/klaubert/waf-fle/issues/40#issuecomment-104153914.

klaubert avatar May 21 '15 14:05 klaubert

Thanks for your info and work Klaubert.

Anyway, at the moment it seems we are facing modsec/mlogc CPU usage issues because as soon as we enable SecAuditType Concurrent, CPU usage rises !!

This I know has nothing to do with wa-fle itself, but does any one faced samed problem trying to centralize modsec logs ???????

alvarowe avatar May 25 '15 08:05 alvarowe

Try mlog2waffle, included with waf-fle, and documented on manual, it should solve your issue.

Em seg, 25 de mai de 2015 05:13, alvarowe [email protected] escreveu:

Thanks for your info and work Klaubert.

Anyway, at the moment it seems we are facing modsec/mlogc CPU usage issues because as soon as we enable SecAuditType Concurrent, CPU usage rises !!

This I know has nothing to do with wa-fle itself, but does any one faced samed problem trying to centralize modsec logs ???????

— Reply to this email directly or view it on GitHub https://github.com/klaubert/waf-fle/issues/40#issuecomment-105161121.

klaubert avatar May 25 '15 13:05 klaubert

Hi ! Me I am trying to get the mlog2wafle collector working but no way. This is my settings to see if any one might help. Thanks.

cat /etc/mlog2waffle.conf | grep -v "#"

$CONSOLE_URI = "http://wherevermywafle.es/controller/"; $CONSOLE_USERNAME = "cp530"; $CONSOLE_PASSWORD = "_hidden_"; $MODSEC_DIRECTORY = "/var/log/mlog2waffle/data/"; $INDEX_FILE = "/usr/local/apache/logs/modsec_audit.log"; $ERROR_LOG = "/var/log/mlog2waffle/mlogc-error.log"; $MODE = "batch"; $FULL_TAIL = "FALSE"; $PIDFILE = "/var/run/mlog2waffle.pid"; $OFFSET_FILE = "/var/log/mlog2waffle/offset"; $THREADMAX = 2; $CHECK_CONNECTIVITY = "TRUE"; $DEBUG = "FALSE"; $DEBUG_FILE = "/var/log/mlog2waffle/mlog2waffle.debug";

I fire some easy modsec rules and then see correct logs generated

ll /var/log/mlog2waffle/data/nobody/20151110/ total 16 drwxr-x--- 4 nobody nobody 4096 nov 10 11:05 ./ drwxr-x--- 3 nobody nobody 4096 nov 10 10:49 ../ drwxr-x--- 2 nobody nobody 4096 nov 10 10:49 20151110-1049/ drwxr-x--- 2 nobody nobody 4096 nov 10 11:05 20151110-1105/

I test from sensor linux-box the connction to the wafle server and seems ok

curl -s -I --user cp530:**hidden* http://waffle.webempresa.eu/controller/|head -1 HTTP/1.1 200 Ok

See the cron running :

crontab -l | grep mlog */5 * * * * /usr/sbin/mlog2waffle

cat /var/log/cron | grep mlog | tail -3 Nov 10 11:05:01 cp530 CROND[304532]: (root) CMD (/usr/sbin/mlog2waffle) Nov 10 11:10:01 cp530 CROND[305104]: (root) CMD (/usr/sbin/mlog2waffle) Nov 10 11:15:01 cp530 CROND[305774]: (root) CMD (/usr/sbin/mlog2waffle)

-rw-r--r-- 1 root root 0 nov 10 10:47 /var/log/mlog2waffle/mlogc-error.log

But no events at all show at my server dashboard :( :(

zirikatzaile avatar Nov 10 '15 10:11 zirikatzaile

Zirikatzaile,

Your modsec_director is actually /var/log/mlog2waffle/data/nobody/ with user nobody in the end, change and have another try.

Klaubert Em 10/11/2015 8:19 AM, "zirikatzaile" [email protected] escreveu:

Hi ! Me I am trying to get the mlog2wafle collector working but no way. This is my settings to see if any one might help. Thanks.

cat /etc/mlog2waffle.conf | grep -v "#"

$CONSOLE_URI = "http://wherevermywafle.es/controller/"; $CONSOLE_USERNAME = "cp530"; $CONSOLE_PASSWORD = "hidden"; $MODSEC_DIRECTORY = "/var/log/mlog2waffle/data/"; $INDEX_FILE = "/usr/local/apache/logs/modsec_audit.log"; $ERROR_LOG = "/var/log/mlog2waffle/mlogc-error.log"; $MODE = "batch"; $FULL_TAIL = "FALSE"; $PIDFILE = "/var/run/mlog2waffle.pid"; $OFFSET_FILE = "/var/log/mlog2waffle/offset"; $THREADMAX = 2; $CHECK_CONNECTIVITY = "TRUE"; $DEBUG = "FALSE"; $DEBUG_FILE = "/var/log/mlog2waffle/mlog2waffle.debug";

I fire some easy modsec rules and then see correct logs generated

ll /var/log/mlog2waffle/data/nobody/20151110/ total 16 drwxr-x--- 4 nobody nobody 4096 nov 10 11:05 ./ drwxr-x--- 3 nobody nobody 4096 nov 10 10:49 ../ drwxr-x--- 2 nobody nobody 4096 nov 10 10:49 20151110-1049/ drwxr-x--- 2 nobody nobody 4096 nov 10 11:05 20151110-1105/

I test from sensor linux-box the connction to the wafle server and seems ok

curl -s -I --user cp530:**hidden* http://waffle.webempresa.eu/controller/|head -1 HTTP/1.1 200 Ok

See the cron running :

crontab -l | grep mlog */5 * * * * /usr/sbin/mlog2waffle

cat /var/log/cron | grep mlog | tail -3 Nov 10 11:05:01 cp530 CROND[304532]: (root) CMD (/usr/sbin/mlog2waffle) Nov 10 11:10:01 cp530 CROND[305104]: (root) CMD (/usr/sbin/mlog2waffle) Nov 10 11:15:01 cp530 CROND[305774]: (root) CMD (/usr/sbin/mlog2waffle)

-rw-r--r-- 1 root root 0 nov 10 10:47 /var/log/mlog2waffle/mlogc-error.log

But no events at all show at my server dashboard :( :(

— Reply to this email directly or view it on GitHub https://github.com/klaubert/waf-fle/issues/40#issuecomment-155379030.

klaubert avatar Nov 11 '15 00:11 klaubert