modseclogc 0.1.0

A tool to manipulate and analyze ModSecurity audit log files.

The modseclogc is a ModSecurity audit log file manipulation and analysis tool, command-line or python module based.

Project

• Homepage: https://github.com/metagriffin/modseclogc

• Bugs: https://github.com/metagriffin/modseclogc/issues

Installation

$ pip install modseclogc

Examples

View a request by unique ID:

$ modseclogc --match-id VtU2o38AAQEAAEV6AuwAAAAE modsec.log
--fc565b0b-A--
[01/Mar/2016:06:28:51 +0000] VtU2o38AAQEAAEV6AuwAAAAE 127.0.0.1 34882 127.0.0.1 80

[...snip...]

--fc565b0b-Z--

Display request IDs that match a path glob:

$ modseclogc --match-path /path/to/resource/** --show-id modsec.log
VtU2o38AAQEAAEV6Au0AAAAE
VtU2o38AAQEAAEV6AuwAAAAE
VtU2o38AAQEAAEV5BIgAAAAK

Display the request line and the request payload (modsec audit part “C”) of each audit record:

$ modseclogc --show-request-line --show-parts C modsec.log
OPTIONS /path/to/resource HTTP/1.1
GET /path/to/resource HTTP/1.1
POST /path/to/resource HTTP/1.1
--40382b65-C--
query=foo+bar&page=1

GET /path/to/resource HTTP/1.1

Generate a copy of the audit excluding the payloads (modsec audit part “C”) for a specific path glob, and compress the output:

$ zcat modsec_audit.log.gz \
  | modseclogc \
    --match-path /path/to/resource/** --hide-parts C \
    --unmatched keep \
  | gzip -9 > clean-modsec_audit.log.gz

Details

• By default, all input records are matched. This is modified via the --match-* and --inverse arguments.

• By default, all unmatched records are dropped. This is modified via the --unmatched argument.

• Output operations (show, hide, etc) only apply to matched records (note that the --inverse argument inverts the matching algorithm, not this rule).

• The audit log must be in Native format (see the SecAuditLogFormat modsec option).