Skip to content
Snippets Groups Projects
Normal view Permalink
modsec_logger.go 1.25 KiB
Newer Older
  • Learn to ignore specific revisions
    • ale's avatar
    Run mod_security logs through a JSON converter
    ale committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 
    // Tool to rewrite mod_security2 logs (very difficult to parse
// although they are in semi-structured format) to JSON.
//
package main

import (
	"bufio"
	"bytes"
	"encoding/json"
	"fmt"
	"io"
	"os"
	"regexp"
)

var (
	outerRx = regexp.MustCompile(`\[[^\]]+]`)
	innerRx = regexp.MustCompile(`\[([^ ]+) \"?(.*)\"\]$`)
	needle  = []byte("ModSecurity: ")
)

func parseModSec(w io.Writer, line []byte) bool {
	if !bytes.Contains(line, needle) {
		return false
	}

	fields := make(map[string]interface{})
	var tags []string
	for _, inner := range outerRx.FindAll(line, -1) {
		for _, matches := range innerRx.FindAllSubmatch(inner, -1) {
			field := string(matches[1])
			value := string(matches[2])
			switch field {
			case "tag":
				tags = append(tags, value)
			case "client", "unique_id", "file", "line":
				// Suppress these tags.
			default:
				fields[field] = value
			}
		}
	}
	if len(fields) == 0 {
		return false
	}
	if len(tags) > 0 {
		fields["tag"] = tags
	}

	data, _ := json.Marshal(fields)
	fmt.Fprintf(w, "@cee:{\"modsec\":%s}\n", data)
	return true
}

func main() {
    ale's avatar
    Do not buffer the output  
    ale committed
    56 
    	outw := os.Stdout
    ale's avatar
    Run mod_security logs through a JSON converter
    ale committed
    57 58 59 60 61 62 63 64 65 66 
    
	scanner := bufio.NewScanner(os.Stdin)
	for scanner.Scan() {
		line := scanner.Bytes()
		if !parseModSec(outw, line) {
			outw.Write(line)
			io.WriteString(outw, "\n")
		}
	}
}