caleb racey wrote:
> Hello
>
>
> Kudos on an excellent module and kudos to ivan on the excellent o'reilly
> apache security book.
Thanks!
> When monitoring the server logs I have two questions:
>
> 1) are there any tools for monitoring the audit logs, since the output
> per hit is multi line the normal approach of "grep"ing is not effective.
> For example my logs are overwhelmingly phpBB exploit attempts (a bot is
> doing the rounds) the noise from this in the logs is making it very
> difficult to track down other "hits"
Not at the moment. In May work will begin on a web-based console to
track the audit entries. Since for that I need to build a (Perl)
parser I am likely to make it usable from the command line too.
BTW, you don't have to grep access_logs either. Have a look at
the logscan utility: http://www.apachesecurity.net/tools
> 2) is there any way to tie down a "hit" to the rule that caught it? Once
> I have identified false positives it is difficult to track down the rule
> causing it, It would be useful if the log would give some form of rule
> identifier for which rule caused the match
There is, since yesterday, if you are not afraid to deploy 1.9dev2.
I've just added three more actions: id, msg, severity. They are
just plain text fields that will appear in the error message created
by a rule.
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
