When modsecurity detects an event has occurred that it has been instructed to log, it will generate an audit log entry, and if properly configured an audit log event file. The audit log event file is the most useful piece of information the system will collect, so its vital modsecurity be setup correctly to capture this. Apache error logs, and the audit log itself are not particularly useful when trying to determine why an event has been captured.
Logically, each audit log entry is a single file. When serial audit logging is used, all entries will be placed within one file, but with concurrent audit logging, one file per entry is used.
Here example at single audit log entry:
--6ef24602-A-- [02/Aug/2016:09:57:47 +0300] V6BEawUs8J4AACcbno4AAAAE 177.80.183.159 43077 5.44.240.158 80 --6ef24602-B-- POST /command.php HTTP/1.0 Accept: */* Host: 5.44.240.158 User-Agent: Wget(linux) Content-Type: application/x-www-form-urlencoded, application/x-www-form-urlencoded Content-Length: 208 --6ef24602-C-- cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74 --6ef24602-F-- HTTP/1.1 500 Internal Server Error Content-Length: 610 Connection: close Content-Type: text/html; charset=iso-8859-1 --6ef24602-E-- --6ef24602-H-- Message: Warning. Pattern match "POST" at REQUEST_METHOD. [file "/etc/modsecurity/custom.conf"] [line "2"] [id "399999"] [msg "LOG POST"] Message: Access denied with code 500 (phase 2). Pattern match "cmd=.*&&" at REQUEST_BODY. [file "/etc/modsecurity/custom.conf"] [line "127"] [id "440002"] [msg "Malware expert - unwanted shell access"] Action: Intercepted (phase 2) Apache-Handler: application/x-httpd-php Stopwatch: 1470121067508965 6092 (- - -) Stopwatch2: 1470121067508965 6092; combined=5272, p1=4949, p2=318, p3=0, p4=0, p5=5, sr=58, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/). Server: Apache/2.4.10 (Debian) Engine-Mode: "ENABLED" --6ef24602-Z--
Audit log sections
A segment begins with a boundary and ends when the next segment begins. The only exception is the terminating segment (Z), which consists only of the boundary. The idea behind the use of multiple segments is to allow each audit log entry to contain potentially different information. Only the parts A and Z are mandatory; the use of the other parts is controlled with the SecAuditLogParts directive.
Sections Description A Audit log header (mandatory) B Request headers C Request body D Reserved E Response body F Response headers G Reserved H Audit log trailer, which contains additional data I Compact request body alternative (to part C), which excludes files J Information on uploaded files (available as of version 2.6.0) K Contains a list of all rules that matched for the transaction Z Final boundary (mandatory)
Section A – The audit log header
The audit log header, contains only one line, with the following information on it:
- Timestamp
- Unique transaction ID
- Source IP address (IPv4 or IPv6)
- Source port
- Destination IP address (IPv4 or IPv6)
- Destination port
[02/Aug/2016:09:57:47 +0300] V6BEawUs8J4AACcbno4AAAAE 177.80.183.159 43077 5.44.240.158 80
Section B – request headers
The request headers part contains the request line and the request headers. The information present in this part will not be identical to that sent by the client responsible for the transaction. ModSecurity does not have access to the raw data; it sees what Apache itself sees. While the end result may be identical to the raw request.
Section C – request body
This part contains the request body of the transaction.
Section F – response headers
This part contains the actual response headers sent to the client. Since ModSecurity does not access the raw connection data, it constructs part F out of the internal Apache data structures that hold the response headers.
Some headers (the Date and Server response headers) are generated just before they are sent and ModSecurity is not able to record those.
Section H – audit log trailer
This is the most important of the audit log entry for determining what rule triggered, and why it triggered.
Message: Warning. Pattern match "POST" at REQUEST_METHOD. [file "/etc/modsecurity/custom.conf"] [line "2"] [id "399999"] [msg "LOG POST"] Message: Access denied with code 500 (phase 2). Pattern match "cmd=.*&&" at REQUEST_BODY. [file "/etc/modsecurity/custom.conf"] [line "127"] [id "440002"] [msg "Malware expert - unwanted shell access"]
More info in offical Audit Log documentation.
References:
Mod Security Hand Book
http://wiki.atomicorp.com/wiki/index.php/Modsecurity_audit_log
https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual