Light

metagriffin / modseclogc Goto Github PK

View Code? Open in Web Editor NEW

6.0 4.0 1.0 29 KB

A tool to manipulate and analyze ModSecurity audit log files.

License: GNU General Public License v3.0

Makefile 0.09% Python 99.91%

modseclogc's Introduction

ModSecurity Log Compiler

The modseclogc is a ModSecurity audit log file manipulation and analysis tool, command-line or python module based.

Project

Homepage: https://github.com/metagriffin/modseclogc
Bugs: https://github.com/metagriffin/modseclogc/issues

Installation

$ pip install modseclogc

Examples

View a request by unique ID:

$ modseclogc --match-id VtU2o38AAQEAAEV6AuwAAAAE modsec.log
--fc565b0b-A--
[01/Mar/2016:06:28:51 +0000] VtU2o38AAQEAAEV6AuwAAAAE 127.0.0.1 34882 127.0.0.1 80

[...snip...]

--fc565b0b-Z--

Display request IDs that match a path glob:

$ modseclogc --match-path /path/to/resource/** --show-id modsec.log
VtU2o38AAQEAAEV6Au0AAAAE
VtU2o38AAQEAAEV6AuwAAAAE
VtU2o38AAQEAAEV5BIgAAAAK

Display the request line and the request payload (modsec audit part "C") of each audit record:

$ modseclogc --show-request-line --show-parts C modsec.log
OPTIONS /path/to/resource HTTP/1.1
GET /path/to/resource HTTP/1.1
POST /path/to/resource HTTP/1.1
--40382b65-C--
query=foo+bar&page=1

GET /path/to/resource HTTP/1.1

Generate a copy of the audit excluding the payloads (modsec audit part "C") for a specific path glob, and compress the output:

$ zcat modsec_audit.log.gz \
  | modseclogc \
    --match-path /path/to/resource/** --hide-parts C \
    --unmatched keep \
  | gzip -9 > clean-modsec_audit.log.gz

Details

By default, all input records are matched. This is modified via the --match-* and --inverse arguments.
By default, all unmatched records are dropped. This is modified via the --unmatched argument.
Output operations (show, hide, etc) only apply to matched records (note that the --inverse argument inverts the matching algorithm, not this rule).
The audit log must be in Native format (see the SecAuditLogFormat modsec option).

modseclogc's People

Contributors

Stargazers

Watchers

Forkers

intika-linux-server

modseclogc's Issues

support for libmodsecurity3 version 3

is this available? i'm using libmodsecurity3 with haproxy 2.4

File passed as argument generates "IOError: [Errno 2] No such file or directory"

Hello,

It seems modseclogc is not recognizing the file passed as an argument, at least for me:

jota@security-audits:~/modsecurity/ModSecurity-log-utilities$ modseclogc --show-request-line --show-parts C modsec.log 
Traceback (most recent call last):
  File "/usr/local/bin/modseclogc", line 11, in <module>
    sys.exit(main())
  File "/home/jota/.local/lib/python2.7/site-packages/modseclogc/cli.py", line 163, in main
    src = source.Source(open(fname, 'rb'), size=None, name=fname)
IOError: [Errno 2] No such file or directory: 'm'

jota@security-audits:~/modsecurity/ModSecurity-log-utilities$ modseclogc --show-request-line --show-parts C odsec.log 
Traceback (most recent call last):
  File "/usr/local/bin/modseclogc", line 11, in <module>
    sys.exit(main())
  File "/home/jota/.local/lib/python2.7/site-packages/modseclogc/cli.py", line 163, in main
    src = source.Source(open(fname, 'rb'), size=None, name=fname)
IOError: [Errno 2] No such file or directory: 'o'

Regards,
Jota

Add function show chosen parameters for each PARTS

Hi metagriffin

Is it possible to add a function to display only the "parameters" that we chose for each PARTS:
Example :
modseclogc --match-path /ajs.php --show-request-line --show-params Referer,X-Forwarded-For --hide-parts FHKZA modsec_audit.log

expected result :
GET /ajs.php?zid=13013 HTTP/1.1
--5a1c1823-B--
X-Forwarded-For: XXX.XXX.XXX.XX
Referer: http://www.test.fr/choserien/

thanks

undisplay parts with no data

hi Metagriffin
Thanks for this tool .

Is it possible to add a parameter that hide the "PARTS" when it's empty ? For example the command below display a lot of empty line because i have no "rule" modsec triggrered in my log file .

modseclogc --show-parts K modsec.logsecu

.......
--d86e6b12-K--

--95c52a3c-K--

--e7eb404f-K--

--cd51e70c-K--

......

Thanks

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.