Re: [mod-security-users] Use of Modsec variable in apache access log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Use of Modsec variable in apache access log
|
From: <az...@po...> - 2022-03-24 04:19:44
|
Hi Homesh, if all you need is to distinguish between blocked/passed requests then what about using different HTTP code used by modsecurity for blocking? There are lot's of HTTP codes which can fit. You can set it using SecDefaultAction. azurit Citát homesh joshi <ho...@gm...>: > Dear Christian, > > Thanks for the clarification. > I have already gone through excellent netnea.com tutorials. I have already > used some of the configuration from tutorial.I do not use crs. > My objective here is that I want to get a flag in access log line if modsec > has taken any action on the transaction say simply it can be a field like > modsec=1 or modsec=0. This wi help me in separating transactions which are > allowed.(modsec=0) So then it is easy to show these transactions in the > reporting system. > > Kindly suggest. > > Thanks, > Homesh > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > chr...@ne...> wrote: > >> HelloHomesh, >> >> Unfortunately, this is not how this works. >> >> A ModSecuriy variable is not automatically an environment variable. >> And on top, the ModSec variable "rule" is only available during the >> execution of the very rule (and there might be many, many rules). >> >> I suggest you read up on my free tutorials published at netnea.com. >> The one on logging and the ones on the Core Rule Set are proposing >> ways to achieve something along these lines. >> >> Best, >> >> Christian >> >> >> On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: >> > Hi All, >> > >> > Hope you all are well. >> > >> > I want to add the modsecurity variable e.g "rule.id"in the apache access >> > log via the extended format. >> > I set the following line in /etc/apache2/apache.conf >> > >> > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" >> > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended >> > >> > However I am not getting the rule.id value in the access log line. >> > >> > Kindly suggest. >> > >> > Thanks, >> > Homesh >> >> >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> |
