Skip to main content

A tool to manipulate and analyze ModSecurity audit log files.

Project description

The modseclogc is a ModSecurity audit log file manipulation and analysis tool, command-line or python module based.

Installation

$ pip install modseclogc

Examples

View a request by unique ID:

$ modseclogc --match-id VtU2o38AAQEAAEV6AuwAAAAE modsec.log
--fc565b0b-A--
[01/Mar/2016:06:28:51 +0000] VtU2o38AAQEAAEV6AuwAAAAE 127.0.0.1 34882 127.0.0.1 80

[...snip...]

--fc565b0b-Z--

Display request IDs that match a path glob:

$ modseclogc --match-path /path/to/resource/** --show-id modsec.log
VtU2o38AAQEAAEV6Au0AAAAE
VtU2o38AAQEAAEV6AuwAAAAE
VtU2o38AAQEAAEV5BIgAAAAK

Display the request line and the request payload (modsec audit part “C”) of each audit record:

$ modseclogc --show-request-line --show-parts C modsec.log
OPTIONS /path/to/resource HTTP/1.1
GET /path/to/resource HTTP/1.1
POST /path/to/resource HTTP/1.1
--40382b65-C--
query=foo+bar&page=1

GET /path/to/resource HTTP/1.1

Generate a copy of the audit excluding the payloads (modsec audit part “C”) for a specific path glob, and compress the output:

$ zcat modsec_audit.log.gz \
  | modseclogc \
    --match-path /path/to/resource/** --hide-parts C \
    --unmatched keep \
  | gzip -9 > clean-modsec_audit.log.gz

Details

  • By default, all input records are matched. This is modified via the --match-* and --inverse arguments.
  • By default, all unmatched records are dropped. This is modified via the --unmatched argument.
  • Output operations (show, hide, etc) only apply to matched records (note that the --inverse argument inverts the matching algorithm, not this rule).
  • The audit log must be in Native format (see the SecAuditLogFormat modsec option).

Project details


Release history Release notifications

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
modseclogc-0.1.0.tar.gz (23.8 kB) Copy SHA256 hash SHA256 Source None Mar 20, 2016

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page