zimmerle · July 1, 2015 14:25
diff --git a/ModSecurity JSON audit log - Suggested format. b/ModSecurity JSON audit log - Suggested format.
 Based on the format suggested here: https://www.cryptobells.com/logging-mod_security-in-json/

 {  
  "transaction":{  
    "timestamp":"2014-12-25 04:18:36",
    "id":"aHRXe8aaAAddEv9@dkAAAAa",
    "client ip":"204.13.202.8",
    "client port":44232,
    "host ip":"192.168.240.12",
    "host port":80,
    "server id":"8978168178dg1871gd8712gd81hgdsahdf72gfgd8gwfkwh",
    "request":{  
      "protocol":"POST",
      "uri":"/something/over/there.html",
      "http version":1.1,
      "headers":{  
        "User-Agent":"Wheee",
        "Cache-control":"no-cache",
        "Content-type":"text/html",
        "Host":"www.google.com",
        "Connection":"keep-alive",
        "Content-Length":221
      },
      "body":"..request body goes here, if any..."
    },
    "respose":{  
      "http version":1.1,
      "http _code":200,
      "headers":{  
        "Accept-Ranges":"bytes",
        "Content-Length":92,
        "Connection":"close",
        "Content-type":"text/html; charset=ISO-8859-1"
      },
      "body":"... response body goes here ..."
    },
    "producer":{  
      "connector":{  
        "name":"ModSeurity for nginx",
        "version":"1.0 beta"
      },
      "libmodsecurity":{  
        "version":"3.0.0 beta"
      },
      "rules":[  
        "OWASP_CRS/3.0.0",
        "Custom"
      ],
      "server":"Apache/2.2.22 (EL) DAV/2 Phusion_Passenger/4.0.48 mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5",
      "secrules engine":"enabled",
      "Apache-Handler":"proxy-server",
      "Stopwatch":"1417762077443733 384389 (- - -)",
      "Stopwatch2":"1417762077443733 384389; combined=20536, p1=354, p2=2901, p3=11, p4=16692, p5=578, sr=72, sw=0, l=0, gc=0",
      "Response-Body-Transformed":"Dechunked"
    },
    "messages":[  
      {  
        "actionset":"Warning",
        "message":"Pattern match \"\\\\< ?script\\\\b\" at ARGS_NAMES:<script.",
        "data":{  
          "file":"\/etc\/modsecurity\/modsecurity.conf",
          "line":2164,
          "id":"958051",
          "rev":"2",
          "msg":"Cross-site Scripting (XSS) Attack",
          "data":"Matched Data: <script found within ARGS_NAMES:<script: <script",
          "deverity":2,
          "ver":"OWASP_CRS\/2.2.9",
          "maturity":8,
          "accuracy":8,
          "tags":[  
            "OWASP_CRS\/WEB_ATTACK\/XSS",
            "WASCTC\/WASC-8",
            "WASCTC\/WASC-22",
            "OWASP_TOP_10\/A2",
            "OWASP_AppSensor\/IE1",
            "PCI\/6.5.1"
          ]
        }
      },
      {  
        "actionset":"Warning",
        "message":"Operator GE matched 5 at TX:inbound_anomaly_score.",
        "data":{  
          "file":"\/etc\/modsecurity\/modsecurity.conf",
          "line":2814,
          "id":"981204",
          "msg":"Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=0, XSS=5): Cross-site Scripting (XSS) Attack"
        }
      }
    ]
  }
 }
	Based on the format suggested here: https://www.cryptobells.com/logging-mod_security-in-json/

	{
	"transaction":{
	"timestamp":"2014-12-25 04:18:36",
	"id":"aHRXe8aaAAddEv9@dkAAAAa",
	"client ip":"204.13.202.8",
	"client port":44232,
	"host ip":"192.168.240.12",
	"host port":80,
	"server id":"8978168178dg1871gd8712gd81hgdsahdf72gfgd8gwfkwh",
	"request":{
	"protocol":"POST",
	"uri":"/something/over/there.html",
	"http version":1.1,
	"headers":{
	"User-Agent":"Wheee",
	"Cache-control":"no-cache",
	"Content-type":"text/html",
	"Host":"www.google.com",
	"Connection":"keep-alive",
	"Content-Length":221
	},
	"body":"..request body goes here, if any..."
	},
	"respose":{
	"http version":1.1,
	"http _code":200,
	"headers":{
	"Accept-Ranges":"bytes",
	"Content-Length":92,
	"Connection":"close",
	"Content-type":"text/html; charset=ISO-8859-1"
	},
	"body":"... response body goes here ..."
	},
	"producer":{
	"connector":{
	"name":"ModSeurity for nginx",
	"version":"1.0 beta"
	},
	"libmodsecurity":{
	"version":"3.0.0 beta"
	},
	"rules":[
	"OWASP_CRS/3.0.0",
	"Custom"
	],
	"server":"Apache/2.2.22 (EL) DAV/2 Phusion_Passenger/4.0.48 mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5",
	"secrules engine":"enabled",
	"Apache-Handler":"proxy-server",
	"Stopwatch":"1417762077443733 384389 (- - -)",
	"Stopwatch2":"1417762077443733 384389; combined=20536, p1=354, p2=2901, p3=11, p4=16692, p5=578, sr=72, sw=0, l=0, gc=0",
	"Response-Body-Transformed":"Dechunked"
	},
	"messages":[
	{
	"actionset":"Warning",
	"message":"Pattern match \"\\\\< ?script\\\\b\" at ARGS_NAMES:<script.",
	"data":{
	"file":"\/etc\/modsecurity\/modsecurity.conf",
	"line":2164,
	"id":"958051",
	"rev":"2",
	"msg":"Cross-site Scripting (XSS) Attack",
	"data":"Matched Data: <script found within ARGS_NAMES:<script: <script",
	"deverity":2,
	"ver":"OWASP_CRS\/2.2.9",
	"maturity":8,
	"accuracy":8,
	"tags":[
	"OWASP_CRS\/WEB_ATTACK\/XSS",
	"WASCTC\/WASC-8",
	"WASCTC\/WASC-22",
	"OWASP_TOP_10\/A2",
	"OWASP_AppSensor\/IE1",
	"PCI\/6.5.1"
	]
	}
	},
	{
	"actionset":"Warning",
	"message":"Operator GE matched 5 at TX:inbound_anomaly_score.",
	"data":{
	"file":"\/etc\/modsecurity\/modsecurity.conf",
	"line":2814,
	"id":"981204",
	"msg":"Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=0, XSS=5): Cross-site Scripting (XSS) Attack"
	}
	}
	]
	}
	}