[Idea] Add variable support for SecAuditLog

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://www.modsecurity.org

Apache License 2.0

7.67k stars 1.54k forks source link

[Idea] Add variable support for SecAuditLog #3133

Open Xakiadalisabad opened 3 weeks ago

Xakiadalisabad commented 3 weeks ago

I would like to provide a log file separately for each user and their website. Is there a chance to do this using variables SecAuditLog?

airween commented 3 weeks ago

Hi @Xakiadalisabad,

have you tried to put the directive into the vhost context where you want to have an own audit.log?

You didn't mention what version you use. If you use Apache, you can do:

<VirtualHost *:80>

    ...
    SecAuditLog /var/log/nginx/other-vhost-modsec_audit.log
    ...

</VirtualHost>

If you use libmodsecurity3 and Nginx, you can try:

server {
    ...
    modsecurity_rules '
        SecAuditLog /var/log/nginx/other-vhost-modsec_audit.log
    ';

}

marcstern commented 2 weeks ago

If you use Apache, you can automate things with modmacro, like <Macro VHostName $name> ServerName $name SecAuditLog /var/log/httpd/audit$name.log [...]