Document toolboxDocument toolbox

web.apache.mod-security

The tags beginning with web.apache.mod-security  identify log events generated by the ModSecurity Web Application Firewall for Apache.

ModSecurity can be configured to write events and alerts to the Apache access and error logs or to write a dedicated audit log file. Devo recommends using rsyslog as a means to forward ModSecurity audit log events to a Devo endpoint. This enables you to correctly tag the events and forward them to either a Devo Relay or directly to the Devo Cloud.

Tag structure

The full tag must have at least six levels. The first three are fixed as web.apache.mod-security . The fourth, fifth and sixth levels are required and should identify the environment type, web application, and Apache instance respectively. 

  • environment - Describes the environment in when the event occurred. For example, development, testing, or production.

  • web application - The name of the web application.

  • clon - This is the instance that generated the event. Depending on your network, this can be a machine name, or the virtual name of an Apache process.

The values of these levels should be guided by the structure we propose because they will be saved in the events when saved in Devo. When you open the resulting data table, these will appear in the environment, site and clon columns.

Technology

Brand

Log type/format

Environment

Web application

Clon

Technology

Brand

Log type/format

Environment

Web application

Clon

web

apache

  • mod-security

free but required



free but required

free but required

For more information, read more about Devo tags.

Configure the audit log file

Check the main ModSecurity configuration file to make sure that the audit file is being generated. The configuration directives that begin with SecAudit will dictate if the file is to be generated, in what format and in which directory. Below is a sample excerpt that shows some of these directives.

ModSecurity audit log configuration
SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABIJDEFHZ SecAuditLogType Serial SecAuditLog /var/log/apache2/modsec_audit.log

Here you can find additional information on the audit log configuration options. 

Monitor the audit log using rsyslog

The following sample rsyslog configuration file monitors the audit log file and forwards events to a Devo endpoint. 

/etc/rsyslog.d/45-modsecurity.conf file
$template modsecurity,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%" # File access $InputFileName /var/log/apache2/modsec_audit.log $InputFileTag web.apache.mod-security.pro.myapp.www1: $InputFileStateFile stat-file1-ModSecurityAudit $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # SSL config for DEVO secure relay #$DefaultNetstreamDriver gtls # use gtls netstream driver #$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt #$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt #$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key #$ActionSendStreamDriverMode 1 # require TLS for the connection #$ActionSendStreamDriverAuthMode x509/name #$ActionSendStreamDriverPermittedPeer collector if $syslogtag contains 'web.apache.mod-security' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;modsecurity :syslogtag, contains, "web.apache.mod-security" ~
  • Sending to a Devo Relay: Replace DEVO-RELAY and PORT with the IP address and the port of your Devo In-house Relay. 

  • Sending to the Devo Cloud: Uncomment the SSL config section and be sure the security certificate files are correctly referenced.  Replace DEVO-RELAY and PORT with the hostname of your Devo domain and port 443.

Related articles