Re: [Mod-security-rules] Show GEO DAT in modsec logs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello,

 I think you can logging it with audit log from mod security.
 Logging directives:
{code}
    SecAuditEngine On
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
{code}

 Rule:
{code}
SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup"
"id:'999015',phase:1,t:none,pass,log,auditlog,msg:'IP Country is:
%{geo.country_code} and X-Forwarded-For is: %{matched_var}'"
{code}

My apache is rear varnish and I evaluate remote IP from header
:X-Forwarded-For, but you can use REMOTE_ADDR instead of
REQUEST_HEADERS:X-Forwarded-Fo

King regards,
Marc


On 12 August 2014 20:33, kinomakino <kin...@ho...> wrote:

>  First, thanks for everything. sorry for my English.
> I wonder if there is any way to use IP Geolocation in ModSec logs.
> That is, I wish for all my active rules, show me the country code in the
> logs.
>
> Thanks for everything.
> now if I do this:
> SecGeoLookupDb /home/jmolina/GeoLiteCity.dat
> #SecRule REMOTE_ADDR "geoLookup" "phase: 1, id: 13102, t: none, pass, log,
> msg: '% {GEO.COUNTRY_CODE}'"
>
> geolocation to show me ALL connections, including HTTP 200 usually does
> not show me.
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Mod-security-rules mailing list
> Mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-rules
>
>


-- 
Marc Cortinas Val
600604388
mar...@gm...