2.5.13/2.5.x/apache2/mlogc-src/INSTALL

@@ -0,0 +1,76 @@
+ModSecurity Audit Log Collector (mlogc)
+
+Mlogc is used to connect a ModSecurity sensor to the central
+audit log repository.
+
+To Install:
+===========
+
+  1) Copy the mlogc executable to an appropriate location.
+
+     A good location might be /usr/local/bin, /opt/mlogc/bin, etc.
+
+  2) Create sensor in the central audit log repository. Note the
+     username and the password (SENSOR_USERNAME, SENSOR_PASSWORD).
+     Also note the IP address central repository listens on
+     (CONSOLE_IP_ADDRESS).
+
+  3) Configure the ModSecurity sensor to use mlogc
+
+     # Use ReleventOnly auditing
+     SecAuditEngine RelevantOnly
+
+     # Must use concurrent logging
+     SecAuditLogType Concurrent
+
+     # Send all audit log parts
+     SecAuditLogParts ABIDEFGHZ
+
+     # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf
+     SecAuditLogStorageDir /var/log/mlogc/data
+
+     # Pipe audit log to mlogc with your configuration
+     SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"
+
+  4) Using the mlogc-default.conf as a template, configure the logger.
+
+     Typically these are the only directives that will need to be modified
+     to conform to your site:
+
+     # Points to the root of the installation. All relative
+     # paths configured in this file will be resolved with the
+     # help of this path (LogStorageDir, TransactionLog, etc.)
+     #
+     # Typically, this will be the parent directory that is configured
+     # in ModSecurity for the SecAuditLogStorageDirectory.  So, if
+     # your SecAuditLogStorageDirectory is set to /var/log/mlogc/data,
+     # then set this to /var/log/mlogc.
+     CollectorRoot       "/var/log/mlogc"
+
+     # ModSecurity Console receiving URI. You can change the host
+     # and the port parts but leave everything else as is.
+     ConsoleURI          https://CONSOLE_IP_ADDRESS:8886/rpc/auditLogReceiver
+
+     # Sensor credentials
+     SensorUsername      "SENSOR_USERNAME"
+     SensorPassword      "SENSOR_PASSWORD"
+
+     # Base directory where the audit logs are stored.  This can be specified
+     # as a path relative to the CollectorRoot, or a full path.  It should
+     # resolve to the same path as ModSecurity's SecAuditLogStorageDirectory.
+     LogStorageDir       "data"
+
+     See the mlogc-default.conf configuration file for details on other
+     configuration directives.
+
+  5) Restart the ModSecurity sensor.
+
+     From now on every audit log generated will go to the repository. Make
+     sure you create an alert. Transactions without alerts will be recorded
+     but not displayed on the home page.
+     
+     To troubleshoot, generate alerts and observe file "mlogc-error.log".
+     
+     If mlogc fails to connect to the server it will pause for a period
+     of time (60 seconds by default) before it will try again.
+

2.5.13/2.5.x/apache2/mlogc-src/Makefile.in

@@ -0,0 +1,70 @@
+# Generated Makefile for ModSecurity Log Collector (mlogc)
+
+CC = @CC@
+EXTRA_CFLAGS = @EXTRA_CFLAGS@
+
+srcdir = .
+modsecsrcdir = $(srcdir)/..
+srclibdir = $(srcdir)/srclib
+
+MLOGC_VERSION = `grep '^\#define *VERSION ' mlogc.c | sed 's/.*VERSION *"\([^"]*\)"/\1/'`
+
+APR_FLAGS = @APR_CFLAGS@
+APR_LIBS = @APR_LINK_LD@ @APR_LIBS@
+
+CURL_FLAGS = @CURL_CFLAGS@
+CURL_LIBS = @CURL_LIBS@
+
+PCRE_FLAGS = @PCRE_CFLAGS@
+PCRE_LIBS = @PCRE_LIBS@
+
+APR_S_FLAGS = `$(srclibdir)/install/apr/bin/apr-1-config --includes --cppflags --cflags`
+APR_S_LIBS = `$(srclibdir)/install/apr/bin/apr-1-config --link-ld`
+
+CURL_S_FLAGS = `$(srclibdir)/install/curl/bin/curl-config --cflags`
+CURL_S_LIBS = `$(srclibdir)/install/curl/bin/curl-config --libs`
+
+PCRE_S_FLAGS = `$(srclibdir)/install/pcre/bin/pcre-config --cflags`
+PCRE_S_LIBS = `$(srclibdir)/install/pcre/bin/pcre-config --libs`
+
+all: mlogc
+
+mlogc: mlogc.c
+	@echo; \
+	echo "Building dynamically linked mlogc..."; \
+	$(CC) $(CFLAGS) -o mlogc mlogc.c \
+	-I$(modsecsrcdir) \
+	$(APR_FLAGS) $(CURL_FLAGS) $(PCRE_FLAGS) \
+	$(APR_LIBS) $(CURL_LIBS) $(PCRE_LIBS); \
+	chmod 755 mlogc; \
+	echo; \
+	echo "Build finished.  Please follow the INSTALL instructions to complete the install."; \
+	echo
+
+.archives-ok:
+	@if [ -n "$(MLOGC_NOVERIFY)" -a "$(MLOGC_NOVERIFY)" = "1" ]; then \
+		touch .archives-ok; \
+	else \
+		$(srclibdir)/archives.sh && touch .archives-ok; \
+	fi
+
+.support-libs-ok:
+	$(srclibdir)/build.sh && touch .support-libs-ok
+
+archives: .archives-ok
+
+support-libs: .support-libs-ok
+
+clean-build:
+	@rm -rf $(srclibdir)/build
+
+clean-install:
+	@rm -rf $(srclibdir)/install
+
+clean-mlogc:
+	@rm -rf core mlogc *~ *.o *.so *.lo *.la *.slo
+
+distclean: clean
+
+clean: clean-build clean-install clean-mlogc
+

2.5.13/2.5.x/apache2/mlogc-src/Makefile.win

@@ -0,0 +1,57 @@
+###########################################################################
+### You Will need to modify the following variables for your system
+###########################################################################
+###########################################################################
+
+# Path to Apache httpd installation
+BASE = C:\Apache2
+
+# Paths to required libraries
+PCRE = C:\work\pcre-7.0-lib
+CURL = C:\work\libcurl-7.19.3-win32-ssl-msvc
+
+# Linking libraries
+LIBS = $(BASE)\lib\libapr-1.lib \
+       $(BASE)\lib\libaprutil-1.lib \
+       $(PCRE)\lib\pcre.lib \
+       $(CURL)\lib\Release\curllib.lib \
+       wsock32.lib
+
+###########################################################################
+###########################################################################
+
+CC = cL
+
+MT = mt
+
+DEFS = /nologo /O2 /W3 -DWIN32 -DWINNT -Dinline=APR_INLINE -D_CONSOLE
+
+EXE = mlogc.exe
+
+INCLUDES = -I. -I.. \
+           -I$(PCRE)\include -I$(PCRE) \
+           -I$(CURL)\include -I$(CURL) \
+           -I$(BASE)\include 
+
+CFLAGS= -MT $(INCLUDES) $(DEFS)
+
+LDFLAGS = 
+
+OBJS = mlogc.obj
+
+all: $(EXE)
+
+.c.obj:
+	$(CC) $(CFLAGS) -c $< -Fo$@
+
+.cpp.obj:
+	$(CC) $(CFLAGS) -c $< -Fo$@
+
+$(EXE): $(OBJS)
+	$(CC) $(CFLAGS) $(LDFLAGS) $(OBJS) $(LIBS) /link /NODEFAULTLIB:MSVCRT.lib /subsystem:console
+
+install: $(EXE)
+	copy $(EXE) $(BASE)\bin
+
+clean:
+	del $(OBJS) $(EXE) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin *.manifest

2.5.13/2.5.x/apache2/mlogc-src/mlogc-batch-load.pl.in

@@ -0,0 +1,151 @@
+#!@PERL@
+#
+# ModSecurity for Apache 2.x, http://www.modsecurity.org/
+# Copyright (c) 2004-2009 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+#
+# This product is released under the terms of the General Public Licence,
+# version 2 (GPLv2). Please refer to the file LICENSE (included with this
+# distribution) which contains the complete text of the licence.
+#
+# There are special exceptions to the terms and conditions of the GPL
+# as it is applied to this software. View the full text of the exception in
+# file MODSECURITY_LICENSING_EXCEPTION in the directory of this software
+# distribution.
+#
+# If any of the files related to licensing are missing or if you have any
+# other questions related to licensing please contact Trustwave Holdings, Inc.
+# directly using the email address support@trustwave.com.
+#
+
+use strict;
+use File::Find qw(find);
+use File::Spec::Functions qw(catfile);
+use Sys::Hostname qw(hostname);
+use Digest::MD5 qw(md5_hex);
+
+my $ROOTDIR = $ARGV[0] || '';
+my $MLOGC = $ARGV[1] || '';
+my $MLOGCCONF = $ARGV[2] || '';
+my @AUDIT = ();
+
+if ($ROOTDIR eq '' or ! -e $MLOGC or ! -e $MLOGCCONF) {
+	printf STDERR "\nUsage: $0 <rootdir> </path/to/mlogc> <mlogc_config>\n\n";
+	exit 1;
+}
+
+open(MLOGC, "|$MLOGC -f $MLOGCCONF") or die "ERROR: could not open '$MLOGC' - $!\n";
+
+find(
+	{
+		wanted => sub {
+			my($fn,$dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size);
+
+			(($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size) = stat($_)) &&
+			-f _ &&
+			/^\d{8}-\d+-\w{24}$/s
+			&& (($fn = $File::Find::name) =~ s/^\Q$ROOTDIR\E//)
+			&& push(@AUDIT, [$fn, $size]);
+		},
+		follow => 1,
+	},
+	$ROOTDIR
+);
+
+for my $audit (@AUDIT) {
+	my $fn = $audit->[0];
+	my $line = "";
+	my $err = 0;
+	my $ln = 0;
+	my $sln = 0;
+	my $sect = "";
+	my $data = "";
+	my %data = (
+		hostname => hostname(),
+		remote_addr => "-",
+		remote_user => "-",
+		local_user  => "-",
+		logtime => "-",
+		request => "-",
+		response_status => "-",
+		bytes_sent => "-",
+		referer => "-",
+		user_agent => "-",
+		uniqueid => "-",
+		sessionid => "-",
+		audit_file => $fn,
+		extra => "0",
+		audit_size => $audit->[1],
+		md5 => "-",
+	);
+
+	### Parse the audit file in an attempt to recreate the original log line
+	open (AUDIT, "<".catfile($ROOTDIR,$fn)) or $err = 1;
+	if ($err == 1) {
+		print STDERR "ERROR: could not open '$fn' - $!\n";
+		next;
+	}
+
+	while($line = <AUDIT>) {
+		$data .= $line;
+		chop $line;
+		$ln++;
+		$sln++;
+		if ($line =~ m%^--[0-9A-Fa-f]{8}-([A-Z])--$%) {
+			$sect = $1;
+			$sln = 0;
+			next;
+		};
+		if ($sect eq 'A') {
+			if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) { 
+				$data{logtime} = $1;
+				$data{uniqueid} = $2;
+				$data{remote_addr} = $3;
+			}
+			next;
+		}
+		elsif ($sect eq 'B') {
+			if ($sln == 1) {
+				$data{request} = $line;
+			}
+			elsif ($line =~ m%^User=Agent: (.*)%i) {
+				$data{user_agent} = $1;
+			}
+			elsif ($line =~ m%^Referer: (.*)%i) {
+				$data{referer} = $1;
+			}
+			next;
+		}
+		elsif ($sect eq 'F') {
+			if ($sln == 1 and $line =~ m%^\S+ (\d{3})\D?.*%) {
+				$data{response_status} = $1;
+			}
+			elsif ($line =~ m%^Content-Length: (\d+)%i) {
+				$data{bytes_sent} = $1;
+			}
+			next;
+		}
+	}
+	$data{md5} = md5_hex($data);
+
+	printf MLOGC (
+		"%s %s %s %s %s \"%s\" %s %s \"%s\" \"%s\" %s \"%s\" %s %s %s md5:%s\n",
+		$data{hostname},
+		$data{remote_addr},
+		$data{remote_user},
+		$data{local_user},
+		$data{logtime},
+		$data{request},
+		$data{response_status},
+		$data{bytes_sent},
+		$data{referer},
+		$data{user_agent},
+		$data{uniqueid},
+		$data{sessionid},
+		$data{audit_file},
+		$data{extra},
+		$data{audit_size},
+		$data{md5},
+	);
+       
+}
+

2.5.13/2.5.x/apache2/mlogc-src/mlogc-default.conf

@@ -0,0 +1,98 @@
+##########################################################################
+# Required configuration
+#   At a minimum, the items in this section will need to be adjusted to
+#   fit your environment.  The remaining options are optional.
+##########################################################################
+
+# Points to the root of the installation. All relative
+# paths will be resolved with the help of this path.
+CollectorRoot       "/var/log/mlogc"
+
+# ModSecurity Console receiving URI. You can change the host
+# and the port parts but leave everything else as is.
+ConsoleURI          "https://CONSOLE_IP_ADDRESS:8888/rpc/auditLogReceiver"
+
+# Sensor credentials
+SensorUsername      "SENSOR_USERNAME"
+SensorPassword      "SENSOR_PASSWORD"
+
+# Base directory where the audit logs are stored.  This can be specified
+# as a path relative to the CollectorRoot, or a full path.
+LogStorageDir       "data"
+
+# Transaction log will contain the information on all log collector
+# activities that happen between checkpoints. The transaction log
+# is used to recover data in case of a crash (or if Apache kills
+# the process).
+TransactionLog      "mlogc-transaction.log"
+
+# The file where the pending audit log entry data is kept. This file
+# is updated on every checkpoint.
+QueuePath           "mlogc-queue.log"
+
+# The location of the error log.
+ErrorLog            "mlogc-error.log"
+
+# The location of the lock file.
+LockFile            "mlogc.lck"
+
+# Keep audit log entries after sending? (0=false 1=true)
+# NOTE: This is required to be set in SecAuditLog mlogc config if you
+# are going to use a secondary console via SecAuditLog2.
+KeepEntries         0
+
+
+##########################################################################
+# Optional configuration
+##########################################################################
+
+# The error log level controls how much detail there
+# will be in the error log. The levels are as follows:
+#   0 - NONE
+#   1 - ERROR
+#   2 - WARNING
+#   3 - NOTICE
+#   4 - DEBUG
+#   5 - DEBUG2
+#
+ErrorLogLevel       3
+
+# How many concurrent connections to the server
+# are we allowed to open at the same time? Log collector uses
+# multiple connections in order to speed up audit log transfer.
+# This is especially needed when the communication takes place
+# over a slow link (e.g. not over a LAN).
+MaxConnections      10
+
+# How many requests a worker will process before recycling itself.
+# This is to help prevent problems due to any memory leaks that may
+# exists.  If this is set to 0, then no maximum is imposed. The default
+# is 1000 requests per worker (the number of workers is controlled by the
+# MaxConnections limit).
+MaxWorkerRequests   1000
+
+# The time each connection will sit idle before being reused,
+# in milliseconds. Increase if you don't want ModSecurity Console
+# to be hit with too many log collector requests.
+TransactionDelay    50
+
+# The time to wait before initialization on startup in milliseconds.
+# Increase if mlogc is starting faster then termination when the
+# sensor is reloaded.
+StartupDelay        5000
+
+# How often is the pending audit log entry data going to be written
+# to a file. The default is 15 seconds.
+CheckpointInterval  15
+
+# If the server fails all threads will back down until the
+# problem is sorted. The management thread will periodically
+# launch a thread to test the server. The default is to test
+# once in 60 seconds.
+ServerErrorTimeout  60
+
+# The following two parameters are not used yet, but
+# reserved for future expansion.
+# KeepAlive         150
+# KeepAliveTimeout  300
+