A user running cPanel/WHM on the server does not see any blocks of activity under the ModSec section in WHM while using LiteSpeed. After switching to Apache, the blocks coming in begin to be logged.
Testing has shown that mod_security is hit and a 403 error is returned under LSWS. So, it seems that mod_security works fine on both Apache and LSWS, and that the problem is only with the logging. Why?
There are two mod_security log modes: Concurrent and Serial.
SecAuditLogType Concurrent
or
SecAuditLogType Serial
Apache supports both modes while LSWS only supports Serial Audit log mode.
In the above example, the mode is set to Concurrent
, and so Apache uses that logger mode, but under LiteSpeed cPanel is looking for another log to populate the “ModSecurity Tools” entries.
To fix the problem and get LiteSpeed Web Server logging, turn off the mod_security concurrent logger configuration and change it to serial mode.