Re: [mod-security-users] Use of Modsec variable in apache access log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Use of Modsec variable in apache access log
|
From: Christian F. <chr...@ne...> - 2022-03-24 06:19:12
|
Hi there, On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > Thanks for the clarification. > I have already gone through excellent netnea.com tutorials. I have already > used some of the configuration from tutorial.I do not use crs. Thank you very much. > My objective here is that I want to get a flag in access log line if modsec > has taken any action on the transaction say simply it can be a field like > modsec=1 or modsec=0. This wi help me in separating transactions which are > allowed.(modsec=0) So then it is easy to show these transactions in the > reporting system. I'd do a setenv then in the rules. ... "setenv:modsec=1" Similar to the way I set th various env variables in phase 5. You can simply add this to every rule you have. Or you set up a more complicated scheme and do it in the end in phase 5. Best, Christian > > Kindly suggest. > > Thanks, > Homesh > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > chr...@ne...> wrote: > > > HelloHomesh, > > > > Unfortunately, this is not how this works. > > > > A ModSecuriy variable is not automatically an environment variable. > > And on top, the ModSec variable "rule" is only available during the > > execution of the very rule (and there might be many, many rules). > > > > I suggest you read up on my free tutorials published at netnea.com. > > The one on logging and the ones on the Core Rule Set are proposing > > ways to achieve something along these lines. > > > > Best, > > > > Christian > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > Hi All, > > > > > > Hope you all are well. > > > > > > I want to add the modsecurity variable e.g "rule.id"in the apache access > > > log via the extended format. > > > I set the following line in /etc/apache2/apache.conf > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > However I am not getting the rule.id value in the access log line. > > > > > > Kindly suggest. > > > > > > Thanks, > > > Homesh > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
