Logging issue

Hi,

That error is sent by the firewall if it cannot find the ‘/cache/livelog.php’ file.

Can you try this:
1) Delete the livelog.php file.
2) Go to the Live Log page and wait a couple of seconds.
3) Check if a new the livelog.php file was created.

Thanks for the quick reply.

I deleted livelog.php.
It does get recreated when I look at Live Log
It remains at 0 bytes and I still get the “Error: cannot find your log file. Try to reload this page” message.
Permissions on the file: 644

Can you try to edit the ‘/ninjafirewall/lib/firewall.php’ script?
Line 316 (see here), look for:

header('HTTP/1.0 503 Service Unavailable');

Replace the ‘503’ with ‘403’:

header('HTTP/1.0 403 Service Unavailable');

Then go back to the Live Log menu and see if you still get the same message or a new one referring to the 403 status code.

Afterward, do not forget to undo the change to the firewall.php script.

No luck. I made the change from 503 -> 403, but no difference in the Live Log:

No traffic yet, please wait…
Error: cannot find your log file. Try to reload this page.
Error: cannot find your log file. Try to reload this page.
…etc.

That means that your server (or .htaccess) is returning a 503 error. When NinjaFirewall cannot retrieve the log, it also returns a 503 error and AJAX, which is used to display the log to you, knows that it means it cannot find the log (hence the “cannot find your log file” message).
In your test, the firewall sends a different code (403) but AJAX still shows the same message.
You would need to find why/what returns that 503 error. Maybe you could have a look at your HTTP server log and check the lines that match that error?

OK…I went in and disabled all the .htaccess hardening put in place by the Sucuri plugin. The Live Log now works. But…

I have NFW installed on two websites. One is at the www root, but another is in a subdirectory (‘www/second-site’). The second site has its own domain name. The php.ini file is in ‘www’.

What I’m seeing is that Live Log works now on both sites, but shows traffic happening on both sites. However. “Firewall Log” only works on the ‘www/second-site’, but it logs everything, including what’s happening in the primary site in ‘www’.

I’m now assuming that two installations of NFW within a single diretory structure is not a good thing, or at least not very efficient, even if the sites are independent of each other?

Normally, you should have 2 INI files: www/php.ini and www/second-site/php.ini (or .user.ini).
The second one should override the directive from the one in the parent directory. Unless your host allows you to have only one php.ini, in your document root.
Can you try to upload this test.php script into the www/second-site/ directory?

<?php
echo ini_get('auto_prepend_file');
?>

Try to run it from:
1) the second site domain: http:/ /secondsite/test.php
2) the main site: http:/ /mainsite/second-site/test.php

It will output which firewall.php script is loaded.

running https://www.secondsite.com/test.php:
public_html/second-site/wp-content/plugins/ninjafirewall/lib/firewall.php

running https://www.primarysite.com/secondsite/test.php
public_html/second-site/wp-content/plugins/ninjafirewall/lib/firewall.php

I put test.php in the root directory.
running https://www.primarysite.com/test.php
public_html/second-site/wp-content/plugins/ninjafirewall/lib/firewall.php

It seems to point to the second installation in all cases.

Where are located the 2 PHP INI files?

php.ini is only in the root directory.

You need 2 PHP INI:

1) one in the root folder: the auto_prepend_file directive must point to the firewall.php script from the main domain.
E.g.: public_html/wp-content/plugins/ninjafirewall/lib/firewall.php

2) one in the subfolder: the auto_prepend_file directive must point to the firewall.php script installed in that subfolder.
E.g.: public_html/second-site/wp-content/plugins/ninjafirewall/lib/firewall.php

OK. I’ve created a second php.ini in the second-site directory. Still no changes in behaviour, but it’s early yet. I’ll report back in 24 hours to see if Apache picks up the new php.ini.

You may also try to rename the “php.ini” to “.user.ini” in the subfolder.

Aha! It seems that renaming the second-site php.ini to .user.ini did the trick. I tested both sites with bogus GETs and each installation seems to only be responding to attacks on the correct domains. Logging and LiveLog is also displaying as expected. If there are no further issues in 24 hours, I’ll come back and mark as resolved.

The NFW installations on the two sites appear to be functioning independently as expected. I installed NFW on a third sub-site using the .user.ini to point to that installation, and it too is behaving normally. Marking as resolved.