This guide will take you through how to process ModSecurity logs using Wazuh. ModSecurity WAF can be integrated with Wazuh in order to process the generated alert logs for better analysis and visualization.
Process ModSecurity Logs using Wazuh
In order to process ModSecurity logs using Wazuh;
Install and setup Wazuh server;
If not already configured, use the guides below to install and setup Wazuh;
Install and Configure ModSecurity WAF
On you web servers, you need to install and activate ModSecurity WAF to protect your web server against attacks. You can use the guides below on how to install and configure ModSecurity WAF;
By default, ModSecurity logs attack related logs to HTTP server Error log file or to the ModSecurity audit logs file.
In order to be able to process the ModSecurity Logs using Wazuh, the logs that are written to the HTTP server needs to be collected using Wazuh agent and pushed to the Wazuh manager for processing.
In my current setup, my Modsecurity WAF is logging to Apache Error log file;
grep denied /var/log/apache2/error.log
[Sat Apr 30 23:42:36.559613 2022] [:error] [pid 4504:tid 140114027435584] [client 127.0.0.1:57026] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "bin/ls" at ARGS:doc. [file "/etc/modsecurity/crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "518"] [id "932160"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/ls found within ARGS:doc: /bin/ls"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "Ym2fPFtd6Nody7X50nHgUwAAAAA"]
Configure Wazuh Agent to Read ModSecurity Logs
Thus, you can now configure Wazuh agents to read the Apache error log and push the ModSecurity events to the Wazuh manager for processing.
</ossec_config>, paste the configuration lines below;
<localfile> <log_format>apache</log_format> <location>/var/log/apache2/access.log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/apache2/error.log</location> </localfile>
Save and exit the file;
Check for any syntax error;
Exit status is 0 if no error.
Restart Wazuh agent;
systemctl restart wazuh-agent
Verify Wazuh ModSecurity Log Processing
By default, Wazuh manager ships with ruleset that can process ModSecurity events for better visualization and analysis.
Thus, navigate to Wazuh web interface and check the events related to the Wazuh agent shipping the ModSecurity logs.
Expanding the event;
And that is how you can easily process ModSecurity Logs using Wazuh.
Want to apply further processing to ModSecurity logs? Check the guide below;