Skip to content

Commit c3c6cb0

Browse files
metagriffinmetagriffin
committed
added documentation
1 parent b740def commit c3c6cb0

File tree

2 files changed

+104
-2
lines changed

2 files changed

+104
-2
lines changed

README.rst

+84-2
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,84 @@
1-
# modseclogc
2-
A python library and command-line tool to manipulate and analyze ModSecurity audit log files.
1+
========================
2+
ModSecurity Log Compiler
3+
========================
4+
5+
The `modseclogc` is a ModSecurity audit log file manipulation and
6+
analysis tool, command-line or python module based.
7+
8+
9+
Project
10+
=======
11+
12+
* Homepage: https://github.com/metagriffin/modseclogc
13+
* Bugs: https://github.com/metagriffin/modseclogc/issues
14+
15+
16+
Installation
17+
============
18+
19+
.. code:: bash
20+
21+
$ pip install modseclogc
22+
23+
24+
Examples
25+
========
26+
27+
View a request by unique ID:
28+
29+
.. code:: text
30+
31+
$ modseclogc --match-id VtU2o38AAQEAAEV6AuwAAAAE modsec.log
32+
--fc565b0b-A--
33+
[01/Mar/2016:06:28:51 +0000] VtU2o38AAQEAAEV6AuwAAAAE 127.0.0.1 34882 127.0.0.1 80
34+
35+
[...snip...]
36+
37+
--fc565b0b-Z--
38+
39+
Display request IDs that match a path glob:
40+
41+
.. code:: text
42+
43+
$ modseclogc --match-path /path/to/resource/** --show-id modsec.log
44+
VtU2o38AAQEAAEV6Au0AAAAE
45+
VtU2o38AAQEAAEV6AuwAAAAE
46+
VtU2o38AAQEAAEV5BIgAAAAK
47+
48+
Display the request line and the request payload (modsec audit part
49+
"C") of each audit record:
50+
51+
.. code:: text
52+
53+
$ modseclogc --show-request-line --show-parts C modsec.log
54+
OPTIONS /path/to/resource HTTP/1.1
55+
GET /path/to/resource HTTP/1.1
56+
POST /path/to/resource HTTP/1.1
57+
--40382b65-C--
58+
query=foo+bar&page=1
59+
60+
GET /path/to/resource HTTP/1.1
61+
62+
Generate a copy of the audit excluding the payloads (modsec audit part
63+
"C") for a specific path glob, and compress the output:
64+
65+
.. code:: text
66+
67+
$ modseclogc --match-path /path/to/resource/** --unmatched keep \
68+
--hide-parts C modsec.log | gzip -9 > clean-modsec.log.gz
69+
70+
71+
Details
72+
=======
73+
74+
* By default, all input records are matched and unmatched records are
75+
dropped. Matched records are modified via the "--match-*" and
76+
"--inverse" arguments. What happens to unmatched records is
77+
controlled by the "--unmatched" argument.
78+
79+
* Output operations (show, hide, etc) only apply to matched records
80+
(note that the "--inverse" argument inverts the matching algorithm,
81+
not this rule).
82+
83+
* The audit log must be in "Native" format (see ``SecAuditLogFormat``
84+
modsec option).

TODO.rst

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
=====
2+
TODOs
3+
=====
4+
5+
6+
* Support ``SecAuditLogType Concurrent`` mode
7+
8+
* Support `Matcher` and `Renderer` plugin loading
9+
10+
* Create a matcher and renderer expression language? e.g.::
11+
12+
$ modseclogc --match '( path("XXX") or path("YYY") ) and not cookie("YYY")'
13+
14+
* Add support for audit logs in JSON format (i.e. ``SecAuditLogFormat
15+
JSON``) added in modsec 2.9.1
16+
17+
* Auto-detect gzip-compressed input
18+
19+
* (?) be able to apply a different renderer to unmatched records
20+
(beyond NativeRenderer)

0 commit comments

Comments
 (0)