modsecurity audit log analyser and parser
Get the overview of security incidents reported by modsecurity module from modsec_audit.log file.
modsecurity parser is a python program to read https://www.modsecurity.org/ modsec_audit.log, transform read events into more human and machine readable formats (xlsx/json) and make basic charts.
Functionality list:
Software needs at least Python 3.8.10 with additional libraries:
Install them with command
pip3 install -r requirements.txt
python3 modsecurity_parser.py -f /home/user/logs/modsec_audit.log
for that case results will be recorded into subdirectory "modsec_output" where the log to analyse is placed.
python3 modsecurity_parser.py -h
Filters INCLUDE and EXCLUDE are available for IP source addresses.
--exclude option ( e.g. "--exclude 192.168.0.1 10.0.0.1") just skips events with given IP source addresses
--include (e.g. "--include 10.0.5.6") take precedence over EXCLUDE. INCLUDE process only events with given IP source addresses.
--jsononeperline - option recommended for big number of events where e.g. produced JSON is supposed to be read by other SIEM tool. Uses the very same format as modsecurity software when type of logging is set to "JSON".
Processing Modsecurity3 log
--version3 (e.g. "modsecurity_parser.py -f modsec_audit.log --version3"
Processing Modsecurity log in JSON format:
--jsonaudit (e.g. "modsecurity_parser.py -f modsec_audit.log --jsonaudit"
Create a subfolder (e.g. "modseclogs") and put into some modsecurity audit logs (by default modsec_audit.log name is processed only). Output files will be created inside of ${subfolder}/modsec_output
Run command
docker run --rm -ti --mount type=bind,source="$(pwd)"/modseclogs,target=/opt/mounted molu8bits/modsecurity-parser:latest
Get some more docker options:
docker run --rm -ti -e HELP=Yes molu8bits/modsecurity-parser:latest