Most webservers write access-log files which contain information about source address of the client, date of the access, accessed url and status code of the server response. The data is not specific enough for an effective analysis of the web-communication. Therefore more detailed information is needed. The ModSecurity-Module integrates an audit-logging engine which writes detailed log-data in a format specific to ModSecurity. Unfortunately, writing complex log-data affects the webserver system and might result in performance issues which in return makes the web-applications response seem to be awkward.

To overcome this problem I wrote AuditLogger. It is basically a tool for reading http-streams via a sniffer-tool and writes the complete audit-log in the format of modsecurity to disk. This enables you to do the audit-logging on a separate machine by the use of a network tap or the monitor-port of your switch. Thus it doesn't affect the webservers performance, but provides you the most detail logging-data.

This way it can act as a sensor for a web-application oriented intrusion detection system.

Features

AuditLogger provides basically three features

• Writing audit-events of http-traffic read from tcpick
• Reading mod_security audit-logs
• Network access to the audit-stream via secure sockets

Audit event server

Audit events from mod_security2 audit logfiles can be read, parsed and written by AuditLogger. It also includes a small server-component which can be used to make these events accessable via a graphical tool like AuditViewer. Since these events contain private data communication is done via ssl sockets and a authentication scheme is employed.

Dependencies

For creating audit-events from tcpick, AuditLogger relies on patched version of tcpick, which is a tcp-sniffer and re-assembling tool. Combined with this tool, AuditLogger follows http-streams, reads the application-data and can in principle be used to log any part of the communication.

As you might expect, AuditLogger also depends on modsecurity.jar which encapsulates the data-format and additional java classes.