Hi Ebrahim,

Thanks for your feedback. There was a problem in modsecurity timestamp math and i was changed in 2.6.3.

Any chance you send me a patch ?



On Mon, Jan 2, 2012 at 9:41 AM, Ebrahim Khalilzadeh <khalilzadeh@aut.ac.ir> wrote:

Due to some problems about piping mlogc with apache, i decided to use mlogc-batch-load.pl on crontab. I installed modsecurity-apache_2.6.2 and it works correctly and generates audit log files like this:

[01/Jan/2012:15:11:28 +031800] 8lbP5n8AAAIAABL0J7gAAAAD 22409 80
GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1

Then i ran mlogc-batch-load.pl which It couldn't send audit logs to AuditConsole and it generated some error like this:

[Mon Jan 02 17:41:33 2012] [2] [28961/80d4e50] Invalid entry (failed to match regex): waf - - - - \"GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1\" 500 602 \"-\" \"-\" - \"-\" /20120102/20120102-1714/20120102-171401-xm8Xqn8AAAIAAG9lIs8AAAAD 0 1653 md5:e7fe62f1bf231a6993e5623a7b872b61

I installed
modsecurity-apache_2.6.3 and it generated audit log files like this:

[02/Jan/2012:17:14:01 +0330] xm8Xqn8AAAIAAG9lIs8AAAAD 36872 80
GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1

i ran mlogc-batch-load.pl and same error was generated.

I found out mlogc-bach-load.pl couldn't parse these audit log correctly and fortunately I could find the line that has this problem which is :

if ($sect eq 'A') {
            if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {

The regular expression for matching with my audit logs is not correct. my audit logs has time field like
[01/Jan/2012:15:11:28 +031800]  for 2.6.2v and [02/Jan/2012:17:14:01 +0330] for 2.6.3v  which non of them can match with \[[-\d/: a-zA-Z]{27}\].  I changed above line with below and audit logs be sent correctly:

if ($sect eq 'A') {
            #if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {
            if ($line =~ m%^(\[[^:]+:\d+:\d+:\d+ [^\]]+\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {

Is it a bug in mlog-batch-load.pl file or a problem in my system date/time?!

Best Regards,



Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
mod-security-developers mailing list
ModSecurity Services from Trustwave's SpiderLabs: