This is a quick and dirty LogWatch script to process mod_security audit logs. I had a google, and couldn't find any released scripts, so here's my one.

PLAIN TEXT
PERL:
  1. #!/usr/bin/perl -w
  2.  
  3. my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
  4.  
  5. while (defined($ThisLine = <stdin>)) {
  6. chomp($ThisLine);
  7. if ( $ThisLine =~ m/^Request:/ )
  8. {
  9. print $ThisLine."\n";
  10. }
  11. if( $ThisLine =~ m/^mod_security-message/ )
  12. {
  13. print $ThisLine."\n";
  14. print "\n";
  15. }</stdin>
  16.  
  17. }
  18. exit(0);

On Debian, you should just be able to drop the above script into /usr/share/logwatch/scripts/services (chmod +x too!), and then add this to /etc/logwatch/conf/logfiles/mod_security.conf:

PLAIN TEXT
CODE:
  1. ########################################################
  2. #   Define log file group for mod_security
  3. ########################################################
  4.  
  5. # Where the log files are - you will need to match this to your configuration
  6. # Note that a relative path like this will be expanded automatically to the
  7. # standard log path (e.g. /var/log/... )
  8.  
  9. LogFile = apache2/audit.log.1
  10. LogFile = apache2/audit.log
  11.  
  12. # If the archives are searched, here is one or more line
  13. # (optionally containing wildcards) that tell where they are...
  14. # Note: if these are gzipped, you need to end with a .gz even if you use wildcards...
  15. Archive = apache2/*audit.log.*.gz

--Simon