انتقل إلى المحتوى

Addressing Wallarm Issues Alerted by NGINX Error Log

This article lists common NGINX error log lines related to Wallarm and describes how to fix the corresponding problems.

Error Description How to fix
[error] 5987#5987: wallarm: opendir() [/var/lib/nginx/wallarm//shm] failed (2: No such file or directory) This is present because nginx tries to read the shared memory file /var/lib/nginx/wallarm/shm which contains ruleset loaded as well as other internal data structure but the file is not present.
  • Ensure that the shm file is present and have the correct permissions. Also ensure the user which NGINX is running has the required permissions to access the file.
  • If shm file is not present/corrupted restarting nginx service will redownload the file.
[error] 5741#5741: *4 WALLARM:ACL: unable to open database file. Folder paths: acl "/var/lib/wallarm-acl", mmdb This is present because nginx tries to read the database files for ACL /var/lib/wallarm-aclbut the directory is not present due to incorrect permissions or the wallarm acl files are not present.
  • Ensure that the acl files are present and have the correct permissions. Also ensure the user which NGINX is running has the required permissions to access the files.
  • If ACL files are not present/corrupted restarting wallarm service will redownload the files. In Ingress you would need to restart the deployment
nginx: [emerg] unknown directive "wallarm_mode" in /etc/nginx/nginx.conf:74 nginx: configuration file /etc/nginx/nginx.conf test failed The Wallarm NGINX dynamic module is not loaded.

  1. Add this line at the top of /etc/nginx/nginx.conf:

    load_module modules/ngx_http_wallarm_module.so;

  2. Restart NGINX.
[error] 1234#1234: *45 connect() failed (111: Connection refused) while connecting to upstream NGINX (with Wallarm) cannot connect to your upstream app (backend).
  1. Verify the proxy_pass target (IP/port).
  2. Ensure the backend service is running and accessible from the NGINX container/VM.
  3. Test with curl http://backend-ip:port from within the NGINX host.
[error] 1234#1234: *567 client intended to send too large body Request body exceeds default limits. Wallarm may need the full body for inspection. Increase body and buffer sizes in nginx.conf:
client_max_body_size 100m;
proxy_buffering off;
wallarm_parser_size 100m;
[emerg] "wallarm_mode" directive is not allowed here in /etc/nginx/conf.d/default.conf:35 The Wallarm directive is in the wrong context under nginx.conf file (e.g., inside http instead of server/location). Place directives correctly: wallarm_mode can go in http, server, or location.
wallarm: Could not send data to the Wallarm Cloud: certificate verify failed The node cannot establish a secure TLS connection with the Wallarm Cloud, usually due to an issue with SSL certificates
  • Check System Time: Ensure the host's system time is correct. Incorrect time can cause certificate validation to fail.
  • Check CA Certificates: Verify that the system's root and intermediate CA certificates are up-to-date and correctly configured, allowing the node to trust the Wallarm Cloud certificate.
[error] 65805#65805: wallarm: a message will not be serialized, messages memory limit has reached: 105031171 >= 104857600 Occurs if the traffic filtering module does not have time to send data to the postanalytics module. Messages appear when the data send queue has exceeded 100MB.

Increase the memory limit:

  1. In your Wallarm NGINX configuration (/etc/nginx/nginx.conf or wallarm.conf), adjust the parameter: wallarm_max_messages_memory 200m;
  2. Restart NGINX.
[error] 1345#1345: *85502584 wallarm: worker: 1345 overlimit time, client: 1.2.3.4, server: example.com, request: "POST /ws/upload/QB0127 HTTP/1.1", host :"example.com", referrer: "https://example/test123/" Occurs if the traffic filtering module does not have time to analyze the request within the allocated time. The time limit for parsing one request is set by the directive wallarm_process_time_limit (default 1000ms). Configure the request processing time limit.
wallarm: memory limit allocated for proton.db is exceeded When errors like this occur in the customer logs, it is sometimes necessary to add memory to Proton.db. The default value is 1GB. Edit /etc/nginx/nginx.conf by adding the following directive (select size as needed):
wallarm_general_ruleset_memory_limit 2g;