search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
7.67k stars 1.54k forks source link

Is it possible to change the SecAuditLogStorageDir variable so that the logs are sorted by vhost? #3118

Open vukitoso opened 1 month ago

vukitoso commented 1 month ago

Hello.

I have libapache2-mod-security2 2.9.7-1 installed on debian 12. In the configuration file /etc/modsecurity/modsecurity.conf Default SecAuditLogStorageDir = /opt/modsecurity/var/audit and all logs are written together, regardless of vhost. Is it possible to sort by vhost?

/opt/modsecurity/var/audit/site1.com/
/opt/modsecurity/var/audit/site2.com/

...

Then, as an option to expand the functionality, you can add variables:

$vhost
$year
$month
$day
$hour
$minute
$second
$id - some kind of unique identifier that is added to the end of the log name

so that you can create different options for log storage paths:

/opt/modsecurity/var/audit/$vhost/$year-$month-$day/$hour-$minute-$second-$ID.log
/opt/modsecurity/var/audit/site.com/2024-03-31/11-51-03-ZgkZYEAFt1ApFkqHlmHjUgAAAAE.log

or

/opt/modsecurity/var/audit/$vhost/$year-$month/$day/$hour-$minute-$second-$ID.log
/opt/modsecurity/var/audit/site.com/2024-03/31/11-51-03-ZgkZYEAFt1ApFkqHlmHjUgAAAAE.log

Thx.