Re: [mod-security-users] SecAuditLog format different 2.9.x and 3.0
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] SecAuditLog format different 2.9.x and 3.0
|
From: Felipe C. <FC...@tr...> - 2018-03-07 20:23:30
|
Hi Cristiano, The semantic of both files are the same. My suggestion ls to double check the regex that try to match the index content. Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Cristiano Galdino <cri...@ga...> Reply-To: "mod...@li..." <mod...@li...> Date: Wednesday, March 7, 2018 at 11:40 AM To: "mod...@li..." <mod...@li...> Subject: [mod-security-users] SecAuditLog format different 2.9.x and 3.0 Hi! I am using modsecurity 2.9 in apache and modsecurity 3.0 in nginx, both are in the same configuration but the log is in a different format. My modsecurity.conf: SecAuditLogParts ABIJDEFGHZ SecAuditLogType Concurrent SecAuditLog /var/log/mlog2waffle/mlog2waffle-index SecAuditLogStorageDir /var/log/mlog2waffle/data Events in mlog2waffle-index in modsecurity 2.9 (apache): http://localhost 10.10.10.10 - - [05/Mar/2018:12:33:22 --0300] "POST / HTTP/1.1" 404 926 "-" "-" Wp1jQX8AAQEAAGReP8MAAAAH "-" /20180305/20180305-1233/20180305-123322-Wp1jQX8AAQEAAGReP8MAAAAH 0 2770 md5:608e97823d44086abc1719a930fb90bb Events in mlog2waffle-index in modsecurity 3.0 (nginx): 127.0.0.1 10.10.10.10 - "GET / HTTP/1.1" 404 0 - "Java/1.8.0_161" 152026763220.574250 - /var/log/mlog2waffle/data/20180305/20180305-1633/20180305-163352-152026763220.574250 0 1303.000000 md5:1a354780659b4213afc79e5185c507a7 So I can not use mlog2waffle because the format log index in 3.0 is not supported. How can I make modsecurity 3.0 generate the logs in the 2.9.x format? Regards, Cristiano Galdino cri...@ga... |
