Audit Log

When modsecurity detects an event has occurred that it has been instructed to log, it will generate an audit log entry, and if properly configured an audit log event file. The audit log event file is the most useful piece of information the system will collect, so its vital modsecurity be setup correctly to capture this. Apache error logs, and the audit log itself are not particularly useful when trying to determine why an event has been captured.

Logically, each audit log entry is a single file. When serial audit logging is used, all entries will be placed within one file, but with concurrent audit logging, one file per entry is used.

Here example at single audit log entry:

--6ef24602-A--
[02/Aug/2016:09:57:47 +0300] V6BEawUs8J4AACcbno4AAAAE 177.80.183.159 43077 5.44.240.158 80
--6ef24602-B--
POST /command.php HTTP/1.0
Accept: */*
Host: 5.44.240.158
User-Agent: Wget(linux)
Content-Type: application/x-www-form-urlencoded, application/x-www-form-urlencoded
Content-Length: 208

--6ef24602-C--
cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74
--6ef24602-F--
HTTP/1.1 500 Internal Server Error
Content-Length: 610
Connection: close
Content-Type: text/html; charset=iso-8859-1

--6ef24602-E--

--6ef24602-H--
Message: Warning. Pattern match "POST" at REQUEST_METHOD. [file "/etc/modsecurity/custom.conf"] [line "2"] [id "399999"] [msg "LOG POST"]
Message: Access denied with code 500 (phase 2). Pattern match "cmd=.*&&" at REQUEST_BODY. [file "/etc/modsecurity/custom.conf"] [line "127"] [id "440002"] [msg "Malware expert - unwanted shell access"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1470121067508965 6092 (- - -)
Stopwatch2: 1470121067508965 6092; combined=5272, p1=4949, p2=318, p3=0, p4=0, p5=5, sr=58, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/).
Server: Apache/2.4.10 (Debian)
Engine-Mode: "ENABLED"

--6ef24602-Z--

Audit log sections

A segment begins with a boundary and ends when the next segment begins. The only exception is the terminating segment (Z), which consists only of the boundary. The idea behind the use of multiple segments is to allow each audit log entry to contain potentially different information. Only the parts A and Z are mandatory; the use of the other parts is controlled with the SecAuditLogParts directive.

Sections        Description
A 	        Audit log header (mandatory)
B 	        Request headers
C 	        Request body
D 	        Reserved
E 	        Response body
F 	        Response headers
G 	        Reserved
H 	        Audit log trailer, which contains additional data
I 	        Compact request body alternative (to part C), which excludes files
J 	        Information on uploaded files (available as of version 2.6.0)
K 	        Contains a list of all rules that matched for the transaction
Z 	        Final boundary (mandatory)

Section A – The audit log header

The audit log header, contains only one line, with the following information on it:

  • Timestamp
  • Unique transaction ID
  • Source IP address (IPv4 or IPv6)
  • Source port
  • Destination IP address (IPv4 or IPv6)
  • Destination port
[02/Aug/2016:09:57:47 +0300] V6BEawUs8J4AACcbno4AAAAE 177.80.183.159 43077 5.44.240.158 80

Section B – request headers

The request headers part contains the request line and the request headers. The information present in this part will not be identical to that sent by the client responsible for the transaction. ModSecurity does not have access to the raw data; it sees what Apache itself sees. While the end result may be identical to the raw request.

Section C – request body

This part contains the request body of the transaction.

Section F – response headers

This part contains the actual response headers sent to the client. Since ModSecurity does not access the raw connection data, it constructs part F out of the internal Apache data structures that hold the response headers.

Some headers (the Date and Server response headers) are generated just before they are sent and ModSecurity is not able to record those.

Section H – audit log trailer

This is the most important of the audit log entry for determining what rule triggered, and why it triggered.

Message: Warning. Pattern match "POST" at REQUEST_METHOD. [file "/etc/modsecurity/custom.conf"] [line "2"] [id "399999"] [msg "LOG POST"]
Message: Access denied with code 500 (phase 2). Pattern match "cmd=.*&&" at REQUEST_BODY. [file "/etc/modsecurity/custom.conf"] [line "127"] [id "440002"] [msg "Malware expert - unwanted shell access"]

More info in offical Audit Log documentation.

References:

Mod Security Hand Book
http://wiki.atomicorp.com/wiki/index.php/Modsecurity_audit_log
https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual