Re: [Mod-security-rules] Show GEO DAT in modsec logs
Brought to you by:
victorhora,
zimmerletw
From: Marc C. V. <mar...@gm...> - 2014-08-12 22:19:27
|
Hello, I think you can logging it with audit log from mod security. Logging directives: {code} SecAuditEngine On SecAuditLogParts ABIJDEFHZ SecAuditLogType Serial SecAuditLog /var/log/httpd/modsec_audit.log {code} Rule: {code} SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup" "id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{matched_var}'" {code} My apache is rear varnish and I evaluate remote IP from header :X-Forwarded-For, but you can use REMOTE_ADDR instead of REQUEST_HEADERS:X-Forwarded-Fo King regards, Marc On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote: > First, thanks for everything. sorry for my English. > I wonder if there is any way to use IP Geolocation in ModSec logs. > That is, I wish for all my active rules, show me the country code in the > logs. > > Thanks for everything. > now if I do this: > SecGeoLookupDb /home/jmolina/GeoLiteCity.dat > #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log, > msg: '% {GEO.COUNTRY_CODE}'" > > geolocation to show me ALL connections, including HTTP 200 usually does > not show me. > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Mod-security-rules mailing list > Mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-rules > > -- Marc Cortinas Val 600604388 mar...@gm... |