Are you trying to fix the error "ModSecurity failed to open the audit log file" ?
This guide is for you.
ModSecurity failed to open the audit log file error generally happens when there is a missing log files or as a result of improper permissions set for the log files.
While using Linux, you may encounter the error, "permission denied".
This error occurs when the user does not have the privileges to make edits to a file. Root has access to all files and folders and can make any edits.
Remember that only root or users with Sudo privileges can change permissions for files and folders.
In this context, we shall look into methods to resolve this ModSecurity error.
Tips to resolve the error 'ModSecurity failed to open the audit log file' ?
Apply the tips given below to fix this error.
1. Missing log files
Recently, one of our customers came across an error message while running the SSH terminal. The Apache wasn't starting.
Here is the error message he received:
AH00526: Syntax error on line 12 of /etc/apache2/conf.d/modsec2.conf:
ModSecurity: Failed to open the audit log file: /etc/apache2/logs/modsec_audit.log
This error here clearly says that the log files are missing.
Sometimes, customers might delete the log files unknowingly from /etc/apache2/logs/ or /usr/local/apache/logs.
So this error can occur.
So, we manually create the log files.
Here is the command for it:
After that, we ensure that the permissions are set properly.
For that, we run the below commands:
chmod 0644 /etc/apache2/logs/error_log
chmod 0600 /etc/apache2/logs/modsec_audit.log
The modsec log files are assigned 0600 permissions by default, whereas the error_log is assigned 0644 permissions by default.
This resolved the error message.
SecAuditLogType configures the type of audit logging mechanism to be used.
This has 2 possible values, they are:
i. Serial – all audit log entries saves in the main audit logging file.
ii. Concurrent – audit log entries saves in separate files, one for each transaction.
So, we suggest our customers set the value of SecAuditLogType is to Serial.
Else, if Concurrent is set then we suggest creating the directory for saving concurrent logs.