: How to customize apache mod_sec log output? I have an apache server which uses mod_security configuration. Those logs are further analyzed and sent out to OSSEC server for intrusion detection
I have an apache server which uses mod_security configuration. Those logs are further analyzed and sent out to OSSEC server for intrusion detection and monitoring.
That OSSEC server then sends those logs for normalization and advance correlation to SIEM, the parser at SIEM is able to parse quiet a few mod_sec messages but the one particular type message including in the payload
"rx ^%{tx.allowed_request_content_type}$"
cannot seemed to be parsed at SIEM system, Instead of changing the parse code at SIEM end which may seems impossible because its closed source, I want to know if there is way to change the logging output much like apache custom log features. The full log payload is shown below:-
Sep 13 13:35:37 ossec-server ossec: Alert Level: 7; Rule: 50118 -
Access attempt blocked by Mod Security.; Location: (WebServer)
127.0.0.1->/usr/local/apache2/logs/error_log; [Fri Sep 13 13:37:09.190450 2013] [:error] [pid 2584:tid 140049089795840] [client
127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required.
[file
"/usr/local/apache2/conf/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf"]
[line "64"] [id "960010"] [rev "2"] [msg "Request content type is not
allowed by policy"] [data "application/octet-stream"] [severity
"CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag
"OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
[hostname "abc.com"] [uri "/"] [unique_id "UjLOtQoKUakAAAoYEh8AAAAO"]
Can i specify apache not to log the above highlighted text when writing logs?
More posts by @Gretchen104
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.