This is a quick and dirty LogWatch script to process mod_security audit logs. I had a google, and couldn’t find any released scripts, so here’s my one.

[perl]
#!/usr/bin/perl -w

my $Detail = $ENV{‘LOGWATCH_DETAIL_LEVEL’} || 0;

while (defined($ThisLine = )) {
chomp($ThisLine);
if ( $ThisLine =~ m/^Request:/ )
{
print $ThisLine.”\n”;
}
if( $ThisLine =~ m/^mod_security-message/ )
{
print $ThisLine.”\n”;
print “\n”;
}

}
exit(0);
[/perl]

On Debian, you should just be able to drop the above script into /usr/share/logwatch/scripts/services (chmod +x too!), and then add this to /etc/logwatch/conf/logfiles/mod_security.conf:

[code]
########################################################
# Define log file group for mod_security
########################################################

# Where the log files are – you will need to match this to your configuration
# Note that a relative path like this will be expanded automatically to the
# standard log path (e.g. /var/log/… )

LogFile = apache2/audit.log.1
LogFile = apache2/audit.log

# If the archives are searched, here is one or more line
# (optionally containing wildcards) that tell where they are…
# Note: if these are gzipped, you need to end with a .gz even if you use wildcards…
Archive = apache2/*audit.log.*.gz
[/code]

–Simon