Hi Cristiano,
The semantic of both files are the same. My suggestion ls to double check the regex that try to match the index content.
Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>
From: Cristiano Galdino <cri...@ga...>
Reply-To: "mod...@li..." <mod...@li...>
Date: Wednesday, March 7, 2018 at 11:40 AM
To: "mod...@li..." <mod...@li...>
Subject: [mod-security-users] SecAuditLog format different 2.9.x and 3.0
Hi!
I am using modsecurity 2.9 in apache and modsecurity 3.0 in nginx, both are in the same configuration but the log is in a different format.
My modsecurity.conf:
SecAuditLogParts ABIJDEFGHZ
SecAuditLogType Concurrent
SecAuditLog /var/log/mlog2waffle/mlog2waffle-index
SecAuditLogStorageDir /var/log/mlog2waffle/data
Events in mlog2waffle-index in modsecurity 2.9 (apache):
http://localhost 10.10.10.10 - - [05/Mar/2018:12:33:22 --0300] "POST / HTTP/1.1" 404 926 "-" "-" Wp1jQX8AAQEAAGReP8MAAAAH "-" /20180305/20180305-1233/20180305-123322-Wp1jQX8AAQEAAGReP8MAAAAH 0 2770 md5:608e97823d44086abc1719a930fb90bb
Events in mlog2waffle-index in modsecurity 3.0 (nginx):
127.0.0.1 10.10.10.10 - "GET / HTTP/1.1" 404 0 - "Java/1.8.0_161" 152026763220.574250 - /var/log/mlog2waffle/data/20180305/20180305-1633/20180305-163352-152026763220.574250 0 1303.000000 md5:1a354780659b4213afc79e5185c507a7
So I can not use mlog2waffle because the format log index in 3.0 is not supported.
How can I make modsecurity 3.0 generate the logs in the 2.9.x format?
Regards,
Cristiano Galdino
cri...@ga...
|
