Archive | October, 2012

Search modsecurity logs more easily

Searching a SERIAL modsec audit log can be a pain. The reports are spread over various sections, and require grepping over multiple lines which is, well, not possible.

cPanel/WHM creates the logfile in /usr/local/apache/logs/modsec_audit.log

This perl script will search the log for Intercepted requests for a particular IP address

  1. #!/usr/bin/perl
  2.  
  3. # usage modsearch.pl [optional ip address]
  4.  
  5. my $ip;
  6.  
  7. if ($#ARGV == 0 ) {
  8. $ip = $ARGV[0];
  9. }
  10. # you can comment out this line to search for things other than IP address
  11. if ($ip !~ /(\d{1,3}\.){3}\d{1,3}/) {$ip='.';}
  12.  
  13. my $modseclog = '/usr/local/apache/logs/modsec_audit.log';
  14.  
  15. if (open LOGF, "<$modseclog") {
  16. # read log into array
  17. my $chunk, $line, $count;
  18. while (($chunk = <LOGF>) && !eof) {
  19. # go hunting for A entry
  20. if ($chunk =~ /--[\d\w]+-A--/) {
  21. do {
  22. $line = <LOGF>;
  23. $chunk .= $line;
  24. } until ($line =~ /--[\d\w]+-Z--/ || eof)
  25. }
  26. if ($chunk =~ m/${ip}.*Intercepted/s) {
  27. $count++;
  28. print $chunk;
  29. }
  30. }
  31. close LOGF;
  32. print $count, " matches found.\n";
  33. }

This script will output the complete sections (between A and Z) for each incident, making it much easier to track down problems.