The modseclogc is a ModSecurity audit log file manipulation and analysis tool, command-line or python module based.
- Homepage: https://github.com/metagriffin/modseclogc
- Bugs: https://github.com/metagriffin/modseclogc/issues
$ pip install modseclogcView a request by unique ID:
$ modseclogc --match-id VtU2o38AAQEAAEV6AuwAAAAE modsec.log
--fc565b0b-A--
[01/Mar/2016:06:28:51 +0000] VtU2o38AAQEAAEV6AuwAAAAE 127.0.0.1 34882 127.0.0.1 80
[...snip...]
--fc565b0b-Z--
Display request IDs that match a path glob:
$ modseclogc --match-path /path/to/resource/** --show-id modsec.log
VtU2o38AAQEAAEV6Au0AAAAE
VtU2o38AAQEAAEV6AuwAAAAE
VtU2o38AAQEAAEV5BIgAAAAK
Display the request line and the request payload (modsec audit part "C") of each audit record:
$ modseclogc --show-request-line --show-parts C modsec.log
OPTIONS /path/to/resource HTTP/1.1
GET /path/to/resource HTTP/1.1
POST /path/to/resource HTTP/1.1
--40382b65-C--
query=foo+bar&page=1
GET /path/to/resource HTTP/1.1
Generate a copy of the audit excluding the payloads (modsec audit part "C") for a specific path glob, and compress the output:
$ zcat modsec_audit.log.gz \
| modseclogc \
--match-path /path/to/resource/** --hide-parts C \
--unmatched keep \
| gzip -9 > clean-modsec_audit.log.gz
- By default, all input records are matched. This is modified via the
--match-*and--inversearguments. - By default, all unmatched records are dropped. This is modified via
the
--unmatchedargument. - Output operations (show, hide, etc) only apply to matched records
(note that the
--inverseargument inverts the matching algorithm, not this rule). - The audit log must be in
Nativeformat (see theSecAuditLogFormatmodsec option).