×


ModSecurity failed to open the audit log file error

Are you trying to fix the error "ModSecurity failed to open the audit log file" ?

This guide is for you.


ModSecurity failed to open the audit log file error generally happens when there is a missing log files or as a result of improper permissions set for the log files.

While using Linux, you may encounter the error, "permission denied". 

This error occurs when the user does not have the privileges to make edits to a file. Root has access to all files and folders and can make any edits.

Remember that only root or users with Sudo privileges can change permissions for files and folders.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to fix ModSecurity related errors.

In this context, we shall look into methods to resolve this ModSecurity error.


Tips to resolve the error 'ModSecurity failed to open the audit log file' ?

Apply the tips given below to fix this error.


1. Missing log files

Recently, one of our customers came across an error message while running the SSH terminal. The Apache wasn't starting. 

Here is the error message he received:

AH00526: Syntax error on line 12 of /etc/apache2/conf.d/modsec2.conf:
ModSecurity: Failed to open the audit log file: /etc/apache2/logs/modsec_audit.log

This error here clearly says that the log files are missing.

Sometimes, customers might delete the log files unknowingly from /etc/apache2/logs/ or /usr/local/apache/logs

So this error can occur.

So, we manually create the log files. 

Here is the command for it:

touch /etc/apache2/logs/error_log
touch /etc/apache2/logs/modsec_audit.log

After that, we ensure that the permissions are set properly. 

For that, we run the below commands:

chmod 0644 /etc/apache2/logs/error_log
chmod 0600 /etc/apache2/logs/modsec_audit.log

The modsec log files are assigned 0600 permissions by default, whereas the error_log is assigned 0644 permissions by default.

This resolved the error message.


2. SecAuditLogType

SecAuditLogType configures the type of audit logging mechanism to be used. 

This has 2 possible values, they are:

i. Serial – all audit log entries saves in the main audit logging file.

ii. Concurrent – audit log entries saves in separate files, one for each transaction.

So, we suggest our customers set the value of SecAuditLogType is to Serial. 

Else, if Concurrent is set then we suggest creating the directory for saving concurrent logs.


[Need urgent assistance in fixing ModSecurity errors? – We are here to help you. ]


Conclusion

This article will guide you on methods to resolve the error 'ModSecurity failed to open the audit log file' which occur as a result of a missing log files or due to improper permissions.

1. Setting ownership to www-data:www-data and file permissions from 600 to 660 will fix this problem.

2. Ensure that the permissions are properly configured on these files.

Execute the command below:

chmod 0644 /etc/apache2/logs/error_log

chmod 0600 /etc/apache2/logs/modsec_audit.log

The modsec log files are assigned 0600 permissions by default, whereas the error_log is assigned 0644 permissions by default.

3. mkdir permission denied signifies that the user you're running the mkdir as, doesn't have permissions to create new directory in the location you specified. 

You should use ls command on the higher level directory to confirm permissions.

4. The mkdir command by default gives rwx permissions for the current user only. To add read, write, and execute permission for all users, add the -m option with the user 777 when creating a directory.