Get results as structured data, instead of Apache text log format #13
Description
Currently the libmodsecurity does not provide any way to get structured data back from the result of a transaction (such as the score). This means (for example) you can't integrate it with some other scoring mechanism, or use JSON logging, etc.
It's also a weird legacy of being tied to the Apache hip that hasn't been addressed.
It would be a useful feature to report results back as a structured data. For example, here's a regex code that converts the final (score) log message to a structure of results:
struct LogEntry {
client_ip: String,
status_code: u16,
score: u32,
msg: String,
uri: String,
unique_id: String,
}
fn parse_log_entry(log: &str) -> Option<LogEntry> {
// Define a regex pattern to match the log entry format
let re = Regex::new(r#"\[client (?P<client_ip>[\d\.]+)\] ModSecurity: Access denied with code (?P<status_code>\d{3}) \(phase \d+\). Matched "Operator `Ge' with parameter `(?P<score>\d+)' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' \(Value: `\d+' \) \[file ".*?"\] \[line "\d+"\] \[id "\d+"\] \[rev ""\] \[msg "(?P<msg>.*?)"\] \[data ".*?"\] \[severity "\d+"\] \[ver ".*?"\] \[maturity "\d+"\] \[accuracy "\d+"\] \[tag ".*?"\] \[tag ".*?"\] \[hostname ".*?"\] \[uri "(?P<uri>.*?)"\] \[unique_id "(?P<unique_id>.*?)"\] \[ref ".*?"\]"#).unwrap();
// Capture the groups using the regex
if let Some(captures) = re.captures(log) {
Some(LogEntry {
client_ip: captures["client_ip"].to_string(),
status_code: captures["status_code"].parse().unwrap_or(0),
score: captures["score"].parse().unwrap_or(0),
msg: captures["msg"].to_string(),
uri: captures["uri"].to_string(),
unique_id: captures["unique_id"].to_string(),
})
} else {
None
}
}