|
Packit |
284210 |
ModSecurity Audit Log Collector (mlogc)
|
|
Packit |
284210 |
|
|
Packit |
284210 |
Mlogc is used to connect a ModSecurity sensor to the central
|
|
Packit |
284210 |
audit log repository.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
To Install:
|
|
Packit |
284210 |
===========
|
|
Packit |
284210 |
|
|
Packit |
284210 |
1) Copy the mlogc executable to an appropriate location.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
A good location might be /usr/local/bin, /opt/mlogc/bin, etc.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
2) Create sensor in the central audit log repository. Note the
|
|
Packit |
284210 |
username and the password (SENSOR_USERNAME, SENSOR_PASSWORD).
|
|
Packit |
284210 |
Also note the IP address central repository listens on
|
|
Packit |
284210 |
(CONSOLE_IP_ADDRESS).
|
|
Packit |
284210 |
|
|
Packit |
284210 |
3) Configure the ModSecurity sensor to use mlogc
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Use ReleventOnly auditing
|
|
Packit |
284210 |
SecAuditEngine RelevantOnly
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Must use concurrent logging
|
|
Packit |
284210 |
SecAuditLogType Concurrent
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Send all audit log parts
|
|
Packit |
284210 |
SecAuditLogParts ABIDEFGHZ
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Use the same /CollectorRoot/LogStorageDir as in mlogc.conf
|
|
Packit |
284210 |
SecAuditLogStorageDir /var/log/mlogc/data
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Pipe audit log to mlogc with your configuration
|
|
Packit |
284210 |
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
4) Using the mlogc-default.conf as a template, configure the logger.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
Typically these are the only directives that will need to be modified
|
|
Packit |
284210 |
to conform to your site:
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Points to the root of the installation. All relative
|
|
Packit |
284210 |
# paths configured in this file will be resolved with the
|
|
Packit |
284210 |
# help of this path (LogStorageDir, TransactionLog, etc.)
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
# Typically, this will be the parent directory that is configured
|
|
Packit |
284210 |
# in ModSecurity for the SecAuditLogStorageDirectory. So, if
|
|
Packit |
284210 |
# your SecAuditLogStorageDirectory is set to /var/log/mlogc/data,
|
|
Packit |
284210 |
# then set this to /var/log/mlogc.
|
|
Packit |
284210 |
CollectorRoot "/var/log/mlogc"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# ModSecurity Console receiving URI. You can change the host
|
|
Packit |
284210 |
# and the port parts but leave everything else as is.
|
|
Packit |
284210 |
ConsoleURI https://CONSOLE_IP_ADDRESS:8886/rpc/auditLogReceiver
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Sensor credentials
|
|
Packit |
284210 |
SensorUsername "SENSOR_USERNAME"
|
|
Packit |
284210 |
SensorPassword "SENSOR_PASSWORD"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Base directory where the audit logs are stored. This can be specified
|
|
Packit |
284210 |
# as a path relative to the CollectorRoot, or a full path. It should
|
|
Packit |
284210 |
# resolve to the same path as ModSecurity's SecAuditLogStorageDirectory.
|
|
Packit |
284210 |
LogStorageDir "data"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
See the mlogc-default.conf configuration file for details on other
|
|
Packit |
284210 |
configuration directives.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
5) Restart the ModSecurity sensor.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
From now on every audit log generated will go to the repository. Make
|
|
Packit |
284210 |
sure you create an alert. Transactions without alerts will be recorded
|
|
Packit |
284210 |
but not displayed on the home page.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
To troubleshoot, generate alerts and observe file "mlogc-error.log".
|
|
Packit |
284210 |
|
|
Packit |
284210 |
If mlogc fails to connect to the server it will pause for a period
|
|
Packit |
284210 |
of time (60 seconds by default) before it will try again.
|
|
Packit |
284210 |
|