Our Blog

How to Locate a Specific Log Entry in ModSecurity Audit Log

Posted by:

ModSecurity is an open source, versatile and cross-platform web application that protects a website from all possible security threats. The application also keeps extensive audit logs and can be installed with Apache & NGINX web servers. It is fundamentally used to block potential exploits with the help of Regular Expressions.

ModSecurity, being an effective element of the cPanel/WHM can identify and remove the commonly known code injection that in turn improves the overall security of the server. In an ideal scenario when ModSecurity is active on a server; helps in detecting any malicious request made to the server. The application stops those requests and they get logged in to the web server’s vhosts error_log and in the ModSecurity Audit Log.

Problem:

There could be hundreds of websites/vhosts in cPanel/WHM Server and all their malicious entries are saved in ModSecurity Audit Log. It is very difficult to find out specific website/vhosts related logs. The situation would worsen in case of an urgent need of specific website/vhosts log.

Solution:

In order to overcome this problem, we needed to automate the process of finding a log entry for a specific host or website. We achieved success in this part by implementing the following command:

sed -e ‘/-A–/,/-Z–/{H;$!d;}’ -e ‘x;/Host: xyzvhost.com/!d;’ /path/to/modsec_audit.log

With this command the issue of manually looking out for the log entries from the audit log was resolved and we could now find the entry of our choice without any hassle. The process enhanced the utility of the ModSecurity.

0


Add a Comment

Time limit is exhausted. Please reload CAPTCHA.

# #