Skip to content
/ ModSecurityLog Public

ModSecurity IIS Log Capture Service is a Windows Service that watches the log folder and automatically captures the logs and sends them to a configured NLog target, like a SQL Server Database.

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

truemed/ModSecurityLog

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
bin
bin
 
 
src
src
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

ModSecurity IIS Logging Windows Service

ModSecurity Log Capture Service is a Windows Service that watches the ModSecurity log folder and automatically captures the logs and sends them to a configured NLog target, like a SQL Server Database. It uses a Windows File Watcher, listening to the FileCreated event, at which time it reads the log file, and uses NLog to send the log to the Database. Since it uses NLog, it could be any NLog Target.

ModSecurity is an open source, cross platform web application firewall for IIS, Apache and Nginx.

How to install the Windows Service

  1. Download the Release zip file
  2. Unzip the files in the release to a folder.
  3. Run the install.ps1 command (Open Powershell as Administrator). (This uses the InstallUtil from the .NET framework.)
  4. Open up Local Services (Control Panel > Administrative Tools > Services) and select "ModSecurityLog" and click "Start". You may need to update the permissions on the folder to allow the "Network Service" user read access for the service to start.

Configure ModSecurity

  1. Open the modsecurity_iis.conf file and update it to the following:

    SecAuditEngine RelevantOnly
SecAuditLogType Concurrent
SecAuditLogFormat JSON
SecAuditLogStorageDir "D:\Path\To\Log\Directory"
SecAuditLog "D:\Path\To\Log\Directory\modsec_audit.log"

  2. Back in this service's folder, open up the ModSecurityLogService.exe.config file and update the LogPath to be the same as the SecAuditLogStorageDir value.

Ensure that you restart this windows service (ModSecurityLog) any time you make changes to the ModSecurityLogService.exe.config file.

How to configure NLog/Database target settings

  1. Open nlog.config, file.
  2. Update the <target> to match your Database settings and table format.
  3. Alternatively, create your own custom NLog <target>

How to uninstall

  1. Stop the service (Control Panel > Administrative Tools > Services > ModSecurityLog)
  2. Run the install.ps1 -uninstall command. (Open Powershell as Administrator)

To Be Extended..

This service could be extended to trigger IP Restrictions on an external firewall or send an alert to an admin of attack velocity. These are both ideas of modules that could use the ModSecurity data to trigger actions to do something about the alerts.

About

ModSecurity IIS Log Capture Service is a Windows Service that watches the log folder and automatically captures the logs and sends them to a configured NLog target, like a SQL Server Database.

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages