This time writing about how to check triggered ModSecurity rules on Nginx audit logs. This useful to check which rules ID, IP and URL that trigger ModSecurity roles and block related connection.
Here’s the command
#grep "\[id" /var/log/modsec_audit.log| sed -E -e 's#^.*\[id "([0-9]*).*hostname "([a-z0-9\-\_\.]*)"].*uri "(.*?)".*"#\1 \2 \3#' | cut -d\" -f1 | sort -n | uniq -c | sort -nthe command;