How to Resolve ModSecurity Error: ‘Unable to retrieve collection (name “global”, key “global”)’

After installing ModSecurity and enable it on my cPanel server I got unfortunate issue regarding to ModSecurity installation. This issue throwing an error log every time when someone tries to access the website. You can check ModSecurity log from here /usr/local/apache/logs/modsec_audit.log and the error message looks like :

–0573cf77-H–
Message: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first.
Message: Unable to retrieve collection (name “ip”, key “178.96.240.121_473fc696e740998959e00a625352d6ed44ea9452″). Use SecDataDir to define data directory first.
Stopwatch: 1331321416651514 897 (- – -)
Stopwatch2: 1331321416651514 897; combined=286, p1=273, p2=4, p3=0, p4=1, p5=8, sr=88, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); core ruleset/2.2.1.
Server: Apache

How to Resolve ModSecurity Error: Unable to retrieve collection (name “global”, key “global”)?

From my searching and googling about this issue, I found a simple solution to solve it. What we need is just following the default suggestion mentioned in the error log. ModSecurity requires us to define the SecDataDir before it is enabled. You can resolve ModSecurity error: unable to retrieve collection by follow these short guide!

Open your ModSecurity config file, in my case it is located in /etc/httpd/conf/modsec2.conf

nano /etc/httpd/conf/modsec2.conf

Add this line to the config file, after <IfModule mod_security2.c> and before </IfModule>.

SecDataDir /tmp

Save it!

Restart Apache process,

/etc/init.d/httpd restart

Recheck your error log file to ensure that there is no new error occurred.

ModSecurity Overview

ModSecurity is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, Trustwave’s SpiderLabs is providing a free certified rule set for ModSecurity 2.x. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the Core Rules provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity.