Dockerfile

+FROM golang:1.19 AS gobuild
+COPY modsec_logger.go /src/modsec_logger.go
+WORKDIR /src
+RUN go build -tags netgo -o modsec_logger modsec_logger.go
+
 FROM composer:2.2.9 as build
 
 ADD . /build
@@ -15,6 +20,7 @@ COPY docker/wp-config.php /opt/noblogs/www/wp-config.php
 COPY docker/wp-cache-config.php /opt/noblogs/www/wp-content/wp-cache-config.php
 COPY docker/conf /tmp/conf
 COPY docker/build.sh /tmp/build.sh
+COPY --from=gobuild /src/modsec_logger /usr/local/bin/modsec_logger
 
 RUN /tmp/build.sh && rm /tmp/build.sh
 

composer.json

@@ -107,7 +107,7 @@
         "wpackagist-plugin/simply-exclude": "2.0.6.6",
         "wpackagist-plugin/soundcloud-shortcode": "3.0.2",
         "wpackagist-plugin/squat-radar-calendar-integration": "2.0.9",
-        "wpackagist-plugin/two-factor": "0.7.1",
+        "wpackagist-plugin/two-factor": "0.7.2",
         "wpackagist-plugin/video-sidebar-widgets": "6.1",
         "wpackagist-plugin/wordpress-importer": "0.7",
         "wpackagist-plugin/wp2pgpmail": "1.28",

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "38d32ff5486d70742c153977c40d89fe",
+    "content-hash": "ab1d1f42916bbfb0ac34d7a1dd95f7ab",
     "packages": [
         {
             "name": "bjornjohansen/wplang",
@@ -1244,15 +1244,15 @@
         },
         {
             "name": "wpackagist-plugin/two-factor",
-            "version": "0.7.1",
+            "version": "0.7.2",
             "source": {
                 "type": "svn",
                 "url": "https://plugins.svn.wordpress.org/two-factor/",
-                "reference": "trunk"
+                "reference": "tags/0.7.2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://downloads.wordpress.org/plugin/two-factor.zip?timestamp=1648055632"
+                "url": "https://downloads.wordpress.org/plugin/two-factor.0.7.2.zip"
             },
             "require": {
                 "composer/installers": "^1.0 || ^2.0"

docker/conf/apache2/conf-available/modsecurity-custom.conf

@@ -6,5 +6,7 @@
                   SecRuleEngine Off
         </Location>
 
+	ErrorLog "|/usr/local/bin/modsec_logger"
+
 </IfModule>
 </IfModule>

modsec_logger.go

+// Tool to rewrite mod_security2 logs (very difficult to parse
+// although they are in semi-structured format) to JSON.
+//
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"regexp"
+)
+
+var (
+	outerRx = regexp.MustCompile(`\[[^\]]+]`)
+	innerRx = regexp.MustCompile(`\[([^ ]+) \"?(.*)\"\]$`)
+	needle  = []byte("ModSecurity: ")
+)
+
+func parseModSec(w io.Writer, line []byte) bool {
+	if !bytes.Contains(line, needle) {
+		return false
+	}
+
+	fields := make(map[string]interface{})
+	var tags []string
+	for _, inner := range outerRx.FindAll(line, -1) {
+		for _, matches := range innerRx.FindAllSubmatch(inner, -1) {
+			field := string(matches[1])
+			value := string(matches[2])
+			switch field {
+			case "tag":
+				tags = append(tags, value)
+			case "client", "unique_id", "file", "line":
+				// Suppress these tags.
+			default:
+				fields[field] = value
+			}
+		}
+	}
+	if len(fields) == 0 {
+		return false
+	}
+	if len(tags) > 0 {
+		fields["tag"] = tags
+	}
+
+	data, _ := json.Marshal(fields)
+	fmt.Fprintf(w, "@cee:{\"modsec\":%s}\n", data)
+	return true
+}
+
+func main() {
+	outw := os.Stdout
+
+	scanner := bufio.NewScanner(os.Stdin)
+	for scanner.Scan() {
+		line := scanner.Bytes()
+		if !parseModSec(outw, line) {
+			outw.Write(line)
+			io.WriteString(outw, "\n")
+		}
+	}
+}