Logwatch and Mod_security
Does anyone have a logwatch filter for the mod_security module?
Log In to Comment
1 Answer
derhansen/logwatch-modsec2 on GitHub has a great example of a Logwatch filter for mod_security. The email output it generates looks like:
--------------------- ModSecurity2 (mod_security2) Begin ------------------------
ATTACKS BLOCKED ON VHOSTS:
subdomain.domain.tld - 2 time(s)
[ip: xxx.xxx.xxx.xxx] [id: 981231 ] [msg: SQL Comment Sequence Detected.] - 1 time(s)
[ip: xxx.xxx.xxx.xxx] [id: 981231 ] [msg: SQL Comment Sequence Detected.] - 1 time(s)
www.site.tld - 1 time(s)
[ip: xxx.xxx.xxx.xxx] [id: 990012 ] [msg: Rogue web site crawler] - 1 time(s)
[ip: xxx.xxx.xxx.xx] [id: 981318 ] [msg: SQL Injection Attack: Common Injection Testing Detected] - 5 time(s)
[ip: xxx.xxx.xxx.xx] [id: 950901 ] [msg: SQL Injection Attack: SQL Tautology Detected.] - 2 time(s)
www.anothersite.tld - 1 time(s)
[ip: xxx.xxx.xxx.xxx] [id: 958291 ] [msg: Range: field exists and begins with 0.] - 1 time(s)
TOP 10 BLOCKED IPS:
xxx.xxx.xxx.xxx - 2 time(s)
xx.xxx.xxx.xxx - 1 time(s)
xxx.xxx.xx.xx - 1 time(s)
xxx.xxx.xxx.xx - 1 time(s)
xxx.xxx.xxx.xxx - 1 time(s)
---------------------- ModSecurity2 (mod_security2) End -------------------------
If you’re just looking for an example of parsing the log file, the perl script that does that is here.
Have another answer? Share your knowledge.