Re: [mod-security-users] audit log header analysis
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iva...@gm...> - 2008-12-30 14:16:48
|
Hi, On Tue, Dec 30, 2008 at 1:59 PM, Ioannis Angelopoulos <it...@gm...> wrote: > Dear All, > > Greetings from Greece. I am a newbie in mod_security 2.x so please bear with > me... > I am trying to understand in detail the different audit log parts. > For example in my log file I have: > > --b1820656-A-- > [29/Dec/2008:23:12:29 +0100] xU3lkMMYTucAAGNDUFwAAAAY 85.114.141.195 2703 > 197.24.69.139 80 > > What do all these parts mean ? What are the two IP addresses and what the > number between them represent ? The tokens on that line are as follows: 1. Timestamp 2. Unique transaction ID 3. Remote IP address 4. Remote port 5. Local IP address 6. Local port > I tried to search for it in the manual but all it says is that the A part is > the audit log header and that is mandatory. It also explains the > --b1820656-A-- part but not what is inside (at least I could not find it). > > Is there any extensive documentation on the log format, what the different > parts mean and if we can modify them ? Yes, there is. I updated that part of the documentation just a few weeks ago. It's a separate document and is available in the repository: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/doc/modsecurity2-data-formats.xml?revision=1250 I imagine it will be available as a PDF in one of the future releases. > It is very important for me as some IPs are asking for some weird things > from my server. > > I thank you all so much for your help > > Best regards to all > Ioannis > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > -- Ivan Ristic |