Re: [mod-security-users] tying log entries to rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] tying log entries to rules
|
From: Tom A. <tan...@oa...> - 2005-04-21 16:01:08
|
----- Original Message ----- From: "Ivan Ristic" <iv...@we...> >> 1) are there any tools for monitoring the audit logs, since the output >> per hit is multi line the normal approach of "grep"ing is not effective. >> For example my logs are overwhelmingly phpBB exploit attempts (a bot is >> doing the rounds) the noise from this in the logs is making it very >> difficult to track down other "hits" > > Not at the moment. In May work will begin on a web-based console to > track the audit entries. Since for that I need to build a (Perl) > parser I am likely to make it usable from the command line too. Here's a little something I threw together: http://orderamidchaos.com/modsec/modsec_auditlog_parser Use it like this: ./modsec_auditlog_parser < /var/log/apache2/modsec_audit_log |less Maybe it will solve the current problem of weeding through entries, and maybe it will help serve as the basis of a more in depth parser. Right now it just grabs a few scraps of info (user agent, message, action) and sums them over domains. BTW, I'm running version 1.7.6, so I don't know if the log has changed at all since then. Let me know if you'd like me to do any tweaking for you. Tom |
