Open
Description
Describe the bug
I tried configuring and using rotatelogs.exe with v2.9.3 on IIS 10. According to this issue - #685, it should have worked
I'm using rotatelogs.exe from here: https://www.apachehaus.com/cgi-bin/download.plx and the relavent part in my config file is shown below
Logs and dumps
ModSecurity throws the following error in the Event Log where line 199 points to the SecAuditLog line shown below:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='ModSecurity'/>
<EventID Qualifiers='0'>1</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime='2019-04-20T07:22:07.968155800Z'/>
<EventRecordID>11784</EventRecordID>
<Channel>Application</Channel>
<Computer>WIN10CLIENT1.example.com</Computer>
<Security/>
</System>
<EventData>
<Data>Syntax error in config file C:\Program Files\ModSecurity IIS\modsecurity.conf, line 199: ModSecurity: Failed to open the audit log pipe: c:\rotatelogs.exe c:\inetpub\logs\modsec_audit.log 120</Data>
</EventData>
</Event>To Reproduce
The relevant part from my config is as follows:
SecAuditLogFormat JSON
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog "|c:\rotatelogs.exe c:\inetpub\logs\modsec_audit.log 120"
Expected behavior
It should rotate the audit log
Server (please complete the following information):
- ModSecurity version (and connector): [ModSecurity v2.9.3]
- WebServer: [IIS 10]
- OS (and distro): [Windows 10]
Rule Set (please complete the following information):
CRS (v3.0.2)