Hi @websenior,
Do you have a cron job or something deleting the “wflogs” folder at regular intervals?
No absolutely! Just this morning happened with another website, switched to learning mode… I switched on protecting mode again, did a scan, clean some files and, after few minutes, it was on learning mode again…
What can I do?
Most of my websites have the same issue… http://www.ceruttiarredamenti.it the same, in this case it switch each time in learning mode after every page change in back-end…
Hi @websenior
Do you have a caching plugin that is common on these sites?
I suggest monitoring the timestamp of the files created in “wflogs” directory, if you noticed that they are being recreated every couple of minutes or so.. then most probably there is a script running that deletes them (so they got regenerated then deleted again, etc…). If this was the case, you might need to report this issue to your web host.
Thanks.
I have 5 files in /wflogs folder, and 2 of them are updated frequently:
ATTACK-DATA.PHP
CONFIG.PHP
IPS.PHP
Did you refer to these or it’s normal?
Of course, I mean 3 of them
Hi @websenior
Yes, these are the files I meant and it’s normal to notice that they are regularly being updated. The thing is we need to know if they are getting updated or deleted by some how then regenerated again. A good way to find out that would be the following:
– Switch the firewall to “Disabled” on purpose.
– Now, keep watching the (wflogs/config.php) file and note “wafStatus” value for specific. It should read “disabled”, if you noticed that it has been switched to “learning-mode” without your interaction on “Manage Firewall” page, then most probably the file was deleted and regenerated again. Some hosts might detect this file with any scanner they have as a false positive entry and got it deleted by mistake, I suggest reporting this issue to them in this case perhaps they can get it whitelisted.
Thanks.
Hi @wfalaa,
thanks for your support, I finally found the problem, the automatic switching in “learning mode” is caused by Nginx: each website that has the load balancer (Nginx) has the issue, the other 3 website that don’t use Nginx works without any problem in “enabled” mode.
Did you know this incompatibility on Wordfence with Nginx? Is there a work-around?
Hi @websenior
This might not be related to nginx specifically, but to the duplicates of wflogs directories on all the servers behind the load balancer, I wonder if you can set up a shared wflogs folder somewhere using the WFWAF_LOG_PATH constant:
https://www.wordfence.com/help/advanced/constants/
Let me know how it goes,
Thanks.
Hi @wfalaa
I spoke with my ISP and he said me that ALL folder are already shared.. I have a standard configuration with load balancer… don’t know what to do, I think WF is installed on a lot of server like mine with nginx and load balancer…
Hi @websenior
May I know who is your hosting provider? What I think is happening here is that there are multiple “wflogs” directories in your setup, it needs to be one “wflogs” directory only which can be defined with the method I mentioned in my previous reply, could you please recheck this again with your web host?
Thanks.
Hello we use Net-Admin,
an Italian cloud Provide.
Servers are configured as below:
Load Balancer with nginx
3 frontend with apache
Database with mariadb and NFS server
All the website shares the same mount over NFS located on another server. For every webite there is a different linux user and group with the same ID over all the 3 servers. Images and static content is provided from the load balancer without forward to apache.
Thank you very much in advance for your help
Can anybody help me with this problem?
Hi @websenior
Sorry for my late reply, it took some time till I gathered all the information mentioned on this thread and discussed them with our QA team. We concluded that file locking isn’t working on NFS in your case. File locking should work fine in NFS when it’s set up, some hosts might disable some features to improve performance, or their distribution doesn’t have it enabled by default. I suggest letting your hosting provider know about this issue and you can also send them this page as it has some helpful information about how to get file locking working in NFS (check the “Using file locks with NFS” part).
Thanks.
