Recipe 1-11: Using the ModSecurity AuditConsole
This recipe shows you how to set up the ModSecurity AuditConsole for centralized logging of audit log data.
Ingredients
- Jwall AuditConsole21
- ModSecurity’s mlogc program
Recipe 1-10 showed you how to centralize the short, one-line ModSecurity alert message that is sent to the Apache error_log file by sending it through Syslog. This is a good approach, but the main disadvantage is that the data being centrally logged is only a small subset of the data that was logged in the audit log file. To confirm the accuracy of the alert messages, you need to review the full audit log file data. One application that can be used for central logging of ModSecurity events is AuditConsole, a Java tool written by Christian Bockermann.
Installation
Here ar e the basic steps for installing the AuditConsole. First, download the latest version of the console from http://download.jwall.org/AuditConsole/current/. Next, you need to choose a location where you want the console to be installed. The following commands assume that you will place it under the /opt directory:
# cd /opt
# unzip /path/to/AuditConsole-0.4.3-16-standalone.zip
# cd /opt/AuditConsole
# chmod 755 bin/*.shAt the time this book was written, the latest version was 0.4.3-16.
The chmod command is required, because zip archives normally do not preserve the executable bit required on the scripts under the bin/ directory. The final step is to start the console, log into the web interface, ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
