Topic: mlogc.exe (failed match regex) after update 2.9.5 (solved)

[abrauer-cpt]

After update of apache and mod_security mlogc.exe failed to send log-entries.

Update from:
Windows Server 2016
Apache 2.4.49 (x64)
mod_security 2.9.3 (x64)

Update to:
Apache 2.4.53 (x64)
mod_security 2.9.5 (x64)
libapr-1-fix

No cofiguration changes were made.

Error (mlogc-error.log):
Invalid entry (failed to match regex)

Before update everything was fine without errors.
If i downgrade mlogc went back to normal work.

Did anyone had the same error or better a solution?

[tangent]

Apache httpd release 2.4.53 is now built with PCRE2 - see https://www.apachelounge.com/viewtopic.php?t=8861&highlight=pcre2

However, Steffen points out here in this earlier post (https://www.apachelounge.com/viewtopic.php?t=8843) that mod_security is built with the old PCRE. So for now you need to leave a copy of the old pcre.dll in the bin directory.

[abrauer-cpt]

Hello tangent,

thank you for your reply.

In my update-test I had left the pcre.dll in the /bin folder.

Is there any other configuration I have to do?

[tangent]

If you turn up the debug level do the logs give you any more clues over which regex construct is failing?

At this point I'd suspect a subtle change in mod_security functionality, so my next step would be to verify this by trying 2.9.3 with the later Apache release.

You might need to refine your mod_security configuration.

[abrauer-cpt]

Sorry for my late reply, i was on vacation.

The debug logs don't give me more clues, or i don't see them. (with high debug level the logs are very large)

I tested mod_security with later Apache release:
Apache 2.4.53 (x64)
mod_security 2.9.3 (x64) (no Update)
No Configuration-Change

Runs without error.

I'm trying some more tests.

[abrauer-cpt]

Ok, i have done some tests.
I can reproduce the error if i simple change the mod_security2.so and mlogc.exe from 2.9.3 to 2.9.5

The only difference i see, is the part after "Processing entry."
Version 2.9.5: "Invalid entry (failed to match regex)"
Version 2.9.3: "Regular expression matched."

Does anyone know what could trigger this error.

mlogc-error.log (debug)

Version 2.9.5

[admin]

What happens when you use mlogc.exe 2.9.3 with 2.9.5 ?

[abrauer-cpt]

mod_security 2.9.5 with mlogc.exe 2.9.3: same error

[abrauer-cpt]

I think i found the problem.

mlogc.exe includes an regex-pattern to parse the log-lines.

The log-lines between 2.9.3 and 2.9.5 are slightly different. The timestamps are different.
mod_security 2.9.3 timestamp: [12/May/2022:10:59:43 +0200]
mod_security 2.9.5 timestamp: [12/May/2022:10:27:55.867925 +0200]

So the regex-pattern do not match anymore.

I posted this potential error on github SpiderLabs/ModSecurity.

[abrauer-cpt]

Info:
The "new" timestamp format was added in mod_security 2.9.4 with issue #2095 but no one changed the regex pattern in mlogc.

[Steffen]

The log timestamp fix is committted:

https://github.com/SpiderLabs/ModSecurity/pull/2749/commits/f71498ceff32c37228dd20a108f26078dee72885

Please test:

Removed

[abrauer-cpt]

Hello Steffen,

i tested this patch and found cases with negative values within the timestamp.
In this cases the regex-pattern failed.

[30/May/2022:09:27:45.-867925 +0200]

We should add something like "-?" to catch this cases.

[Steffen]

New fix : negative usec on log line when data type long is 32b, see https://github.com/SpiderLabs/ModSecurity/pull/2753


Test at: Download removed

[abrauer-cpt]

Many thanks Steffen,

I tested this patch in our environment and it works without errors. I have an eye on it in the next days.

[Steffen]

Mod_security 2.9.5 Win64 updated with the fix for mlogc,