A tool to manipulate and analyze ModSecurity audit log files.
Project description
The modseclogc is a ModSecurity audit log file manipulation and analysis tool, command-line or python module based.
Project
Installation
$ pip install modseclogc
Examples
View a request by unique ID:
$ modseclogc --match-id VtU2o38AAQEAAEV6AuwAAAAE modsec.log
--fc565b0b-A--
[01/Mar/2016:06:28:51 +0000] VtU2o38AAQEAAEV6AuwAAAAE 127.0.0.1 34882 127.0.0.1 80
[...snip...]
--fc565b0b-Z--
Display request IDs that match a path glob:
$ modseclogc --match-path /path/to/resource/** --show-id modsec.log
VtU2o38AAQEAAEV6Au0AAAAE
VtU2o38AAQEAAEV6AuwAAAAE
VtU2o38AAQEAAEV5BIgAAAAK
Display the request line and the request payload (modsec audit part “C”) of each audit record:
$ modseclogc --show-request-line --show-parts C modsec.log
OPTIONS /path/to/resource HTTP/1.1
GET /path/to/resource HTTP/1.1
POST /path/to/resource HTTP/1.1
--40382b65-C--
query=foo+bar&page=1
GET /path/to/resource HTTP/1.1
Generate a copy of the audit excluding the payloads (modsec audit part “C”) for a specific path glob, and compress the output:
$ zcat modsec_audit.log.gz \
| modseclogc \
--match-path /path/to/resource/** --hide-parts C \
--unmatched keep \
| gzip -9 > clean-modsec_audit.log.gz
Details
By default, all input records are matched. This is modified via the --match-* and --inverse arguments.
By default, all unmatched records are dropped. This is modified via the --unmatched argument.
Output operations (show, hide, etc) only apply to matched records (note that the --inverse argument inverts the matching algorithm, not this rule).
The audit log must be in Native format (see the SecAuditLogFormat modsec option).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.