This time writing about how to check triggered ModSecurity rules on Nginx audit logs. This useful to check which rules ID, IP and URL that trigger ModSecurity roles and block related connection.

Here’s the command

#grep "\[id" /var/log/modsec_audit.log| sed -E -e 's#^.*\[id "([0-9]*).*hostname "([a-z0-9\-\_\.]*)"].*uri "(.*?)".*"#\1 \2 \3#' | cut -d\" -f1 | sort -n | uniq -c | sort -nthe command;
Previous ArticleNext Article

Leave a Reply

Your email address will not be published. Required fields are marked *