Places the classes related to audit log into a separate namespace

src/audit_log/audit_log.cc

@@ -0,0 +1,258 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "audit_log/audit_log.h"
+
+#include <stddef.h>
+#include <stdio.h>
+#include <ctype.h>
+
+#include <fstream>
+
+#include "audit_log/writer/parallel.h"
+#include "audit_log/writer/serial.h"
+#include "utils/regex.h"
+
+#define PARTS_CONSTAINS(a, c) \
+    if (new_parts.find(toupper(a)) != std::string::npos \
+        || new_parts.find(tolower(a)) != std::string::npos) { \
+          parts = parts | c; \
+    }
+
+#define PARTS_CONSTAINS_REM(a, c) \
+    if (new_parts.find(toupper(a)) != std::string::npos \
+        || new_parts.find(tolower(a)) != std::string::npos) { \
+          parts = parts & ~c; \
+    }
+
+namespace modsecurity {
+namespace audit_log {
+
+AuditLog::AuditLog()
+    : m_status(OffAuditLogStatus),
+    m_path1(""),
+    m_path2(""),
+    m_storage_dir(""),
+    m_parts(AAuditLogPart | BAuditLogPart | CAuditLogPart | FAuditLogPart
+            | HAuditLogPart | ZAuditLogPart),
+    m_type(ParallelAuditLogType),
+    m_writer(NULL),
+    m_relevant(""),
+    filePermission(0600),
+    directoryPermission(0766),
+    m_refereceCount(0) { }
+
+AuditLog::~AuditLog() {
+    if (m_writer) {
+        m_writer->refCountDecreaseAndCheck();
+    }
+}
+
+void AuditLog::refCountIncrease() {
+    m_refereceCount++;
+}
+
+
+void AuditLog::refCountDecreaseAndCheck() {
+    m_refereceCount--;
+    if (m_refereceCount == 0) {
+        delete this;
+    }
+}
+
+bool AuditLog::setStorageDirMode(int permission) {
+    this->directoryPermission = permission;
+    return true;
+}
+
+
+bool AuditLog::setFileMode(int permission) {
+    this->filePermission = permission;
+    return true;
+}
+
+
+bool AuditLog::setStatus(AuditLogStatus new_status) {
+    this->m_status = new_status;
+    return true;
+}
+
+
+bool AuditLog::setRelevantStatus(const std::basic_string<char>& status) {
+    this->m_relevant = std::string(status);
+    return true;
+}
+
+
+bool AuditLog::setStorageDir(const std::basic_string<char>& path) {
+    this->m_storage_dir = path;
+    return true;
+}
+
+
+bool AuditLog::setFilePath1(const std::basic_string<char>& path) {
+    this->m_path1 = path;
+    return true;
+}
+
+
+bool AuditLog::setFilePath2(const std::basic_string<char>& path) {
+    this->m_path2 = path;
+    return true;
+}
+
+
+int AuditLog::addParts(int parts, const std::string& new_parts) {
+    PARTS_CONSTAINS('A', AAuditLogPart)
+    PARTS_CONSTAINS('B', BAuditLogPart)
+    PARTS_CONSTAINS('C', CAuditLogPart)
+    PARTS_CONSTAINS('D', DAuditLogPart)
+    PARTS_CONSTAINS('E', EAuditLogPart)
+    PARTS_CONSTAINS('F', FAuditLogPart)
+    PARTS_CONSTAINS('G', GAuditLogPart)
+    PARTS_CONSTAINS('H', HAuditLogPart)
+    PARTS_CONSTAINS('I', IAuditLogPart)
+    PARTS_CONSTAINS('J', JAuditLogPart)
+    PARTS_CONSTAINS('K', KAuditLogPart)
+    PARTS_CONSTAINS('Z', ZAuditLogPart)
+
+    return parts;
+}
+
+
+int AuditLog::removeParts(int parts, const std::string& new_parts) {
+    PARTS_CONSTAINS_REM('A', AAuditLogPart)
+    PARTS_CONSTAINS_REM('B', BAuditLogPart)
+    PARTS_CONSTAINS_REM('C', CAuditLogPart)
+    PARTS_CONSTAINS_REM('D', DAuditLogPart)
+    PARTS_CONSTAINS_REM('E', EAuditLogPart)
+    PARTS_CONSTAINS_REM('F', FAuditLogPart)
+    PARTS_CONSTAINS_REM('G', GAuditLogPart)
+    PARTS_CONSTAINS_REM('H', HAuditLogPart)
+    PARTS_CONSTAINS_REM('I', IAuditLogPart)
+    PARTS_CONSTAINS_REM('J', JAuditLogPart)
+    PARTS_CONSTAINS_REM('K', KAuditLogPart)
+    PARTS_CONSTAINS_REM('Z', ZAuditLogPart)
+
+    return parts;
+}
+
+
+bool AuditLog::setParts(const std::basic_string<char>& new_parts) {
+    int parts = 0;
+
+    PARTS_CONSTAINS('A', AAuditLogPart)
+    PARTS_CONSTAINS('B', BAuditLogPart)
+    PARTS_CONSTAINS('C', CAuditLogPart)
+    PARTS_CONSTAINS('D', DAuditLogPart)
+    PARTS_CONSTAINS('E', EAuditLogPart)
+    PARTS_CONSTAINS('F', FAuditLogPart)
+    PARTS_CONSTAINS('G', GAuditLogPart)
+    PARTS_CONSTAINS('H', HAuditLogPart)
+    PARTS_CONSTAINS('I', IAuditLogPart)
+    PARTS_CONSTAINS('J', JAuditLogPart)
+    PARTS_CONSTAINS('K', KAuditLogPart)
+    PARTS_CONSTAINS('Z', ZAuditLogPart)
+
+    m_parts = parts;
+    return true;
+}
+
+
+bool AuditLog::setType(AuditLogType audit_type) {
+    this->m_type = audit_type;
+    return true;
+}
+
+
+bool AuditLog::init() {
+    if (m_type == ParallelAuditLogType) {
+        m_writer = new audit_log::writer::Parallel(this);
+    }
+    if (m_type == SerialAuditLogType) {
+        m_writer = new audit_log::writer::Serial(this);
+    }
+    m_writer->refCountIncrease();
+
+    if (m_writer == NULL || m_writer->init() == false) {
+        std::cout << "not able to open the log for write." << std::endl;
+        return false;
+    }
+
+    /* Sanity check */
+    if (m_status == RelevantOnlyAuditLogStatus) {
+        if (m_relevant.empty()) {
+            std::cout << "m_relevant cannot be null while status is " << \
+                "RelevantOnly" << std::endl;
+            return false;
+        }
+    }
+
+    return true;
+}
+
+
+bool AuditLog::isRelevant(int status) {
+    std::string sstatus = std::to_string(status);
+
+    if (m_relevant.empty()) {
+        return false;
+    }
+
+    if (sstatus.empty()) {
+        return true;
+    }
+
+    return Utils::regex_search(sstatus,
+        Utils::Regex(m_relevant)) != 0;
+}
+
+
+bool AuditLog::saveIfRelevant(Transaction *transaction) {
+    return saveIfRelevant(transaction, -1);
+}
+
+
+bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
+    if (this->isRelevant(transaction->m_httpCodeReturned) == false &&
+        transaction->m_toBeSavedInAuditlogs == false) {
+        return false;
+    }
+
+    /**
+     * Even if it is relevant, if it is marked not to be save,
+     * we won't save it.
+     *
+     */
+    if (transaction->m_toNotBeSavedInAuditLogs == true) {
+        return false;
+    }
+
+    if (parts == -1) {
+        parts = m_parts;
+    }
+    m_writer->write(transaction, parts);
+
+    return true;
+}
+
+
+bool AuditLog::close() {
+    return true;
+}
+
+
+}  // namespace audit_log
+}  // namespace modsecurity

src/audit_log/audit_log.h

@@ -0,0 +1,188 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#ifdef __cplusplus
+#include <iostream>
+#include <fstream>
+#include <string>
+#endif
+
+#ifndef SRC_AUDIT_LOG_AUDIT_LOG_H_
+#define SRC_AUDIT_LOG_AUDIT_LOG_H_
+
+#include "modsecurity/transaction.h"
+#include "audit_log/writer.h"
+
+#ifdef __cplusplus
+
+namespace modsecurity {
+namespace audit_log {
+
+/** @ingroup ModSecurity_CPP_API */
+class AuditLog {
+ public:
+    AuditLog();
+    ~AuditLog();
+
+    void refCountIncrease();
+    void refCountDecreaseAndCheck();
+
+    enum AuditLogType {
+     SerialAuditLogType,
+     ParallelAuditLogType,
+    };
+
+    enum AuditLogStatus {
+     OnAuditLogStatus,
+     OffAuditLogStatus,
+     RelevantOnlyAuditLogStatus
+    };
+
+    enum AuditLogParts {
+     /**
+      * Audit log header (mandatory).
+      * 
+      */
+     AAuditLogPart = 2,
+
+     /**
+      * Request headers.
+      * 
+      */
+     BAuditLogPart = 4,
+
+     /**
+      * Request body (present only if the request body exists and ModSecurity
+      * is configured to intercept it).
+      * 
+      */     
+     CAuditLogPart = 8,
+
+     /**
+      * Reserved for intermediary response headers; not implemented yet.
+      * 
+      */     
+     DAuditLogPart = 16,
+
+     /**
+      * Intermediary response body (present only if ModSecurity is configured
+      * to intercept response bodies, and if the audit log engine is
+      * configured to record it). Intermediary response body is the same as the
+      * actual response body unless ModSecurity intercepts the intermediary
+      * response body, in which case the actual response body will contain the
+      * error message (either the Apache default error message, or the
+      * ErrorDocument page).
+      *
+      */
+     EAuditLogPart = 32,
+
+     /**
+      * Final response headers (excluding the Date and Server headers, which
+      * are always added by Apache in the late stage of content delivery).
+      * 
+      */
+     FAuditLogPart = 64,
+
+     /**
+      * Reserved for the actual response body; not implemented yet.
+      * 
+      */
+     GAuditLogPart = 128,
+
+     /**
+      * Audit log trailer.
+      * 
+      */
+     HAuditLogPart = 256,
+
+     /**
+      * This part is a replacement for part C. It will log the same data as C
+      * in all cases except when multipart/form-data encoding in used. In this
+      * case, it will log a fake application/x-www-form-urlencoded body that
+      * contains the information about parameters but not about the files. This
+      * is handy if you don’t want to have (often large) files stored in your
+      * audit logs.
+      * 
+      */
+     IAuditLogPart = 512,
+
+     /**
+      * This part contains information about the files uploaded using
+      * multipart/form-data encoding.
+      */
+     JAuditLogPart = 1024,
+
+     /**
+      * This part contains a full list of every rule that matched (one per
+      * line) in the order they were matched. The rules are fully qualified and
+      * will thus show inherited actions and default operators. Supported as of
+      * v2.5.0.
+      * 
+      */
+     KAuditLogPart = 2048,
+
+     /**
+      * Final boundary, signifies the end of the entry (mandatory).
+      * 
+      */
+     ZAuditLogPart = 4096
+    };
+
+    bool setStorageDirMode(int permission);
+    bool setFileMode(int permission);
+    bool setStatus(AuditLogStatus new_status);
+    bool setRelevantStatus(const std::basic_string<char>& new_relevant_status);
+    bool setFilePath1(const std::basic_string<char>& path);
+    bool setFilePath2(const std::basic_string<char>& path);
+    bool setStorageDir(const std::basic_string<char>& path);
+
+    bool setParts(const std::basic_string<char>& new_parts);
+    bool setType(AuditLogType audit_type);
+
+    bool init();
+    bool close();
+
+    bool saveIfRelevant(Transaction *transaction);
+    bool saveIfRelevant(Transaction *transaction, int parts);
+    bool isRelevant(int status);
+
+    int addParts(int parts, const std::string& new_parts);
+    int removeParts(int parts, const std::string& new_parts);
+
+    std::string m_path1;
+    std::string m_path2;
+    std::string m_storage_dir;
+
+    int filePermission;
+    int directoryPermission;
+
+    int m_parts;
+
+ private:
+    AuditLogStatus m_status;
+
+
+    AuditLogType m_type;
+    std::string m_relevant;
+
+    audit_log::Writer *m_writer;
+    int m_refereceCount;
+};
+
+}  // namespace audit_log
+}  // namespace modsecurity
+#endif
+
+#endif  // SRC_AUDIT_LOG_AUDIT_LOG_H_

src/audit_log/writer.cc

@@ -0,0 +1,44 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "audit_log/writer.h"
+
+#include <string>
+
+#include "audit_log/audit_log.h"
+
+namespace modsecurity {
+namespace audit_log {
+
+std::string Writer::file_name(const std::string& unique_id) {
+    time_t timer;
+    time(&timer);
+
+    /** TODO: return file with time stamp and etc.  */
+    return std::string("/tmp/temp_audit_log_file.txt");
+}
+/**
+ *
+ * Temporary print the log into the std::cout to debug purposes.
+ *
+ */
+bool Writer::write(Transaction *transaction, int parts) {
+    std::cout << transaction->toJSON(0) << std::endl;
+    return true;
+}
+
+
+}  // namespace audit_log
+}  // namespace modsecurity

src/audit_log/writer.h

@@ -0,0 +1,59 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#ifndef SRC_AUDIT_LOG_WRITER_H_
+#define SRC_AUDIT_LOG_WRITER_H_
+
+#ifdef __cplusplus
+#include <string>
+#endif
+
+#include "modsecurity/transaction.h"
+
+
+#ifdef __cplusplus
+
+namespace modsecurity {
+namespace audit_log {
+
+class AuditLog;
+
+/** @ingroup ModSecurity_CPP_API */
+class Writer {
+ public:
+    explicit Writer(AuditLog *audit)
+        : m_audit(audit),
+        m_refereceCount(0) { }
+
+    virtual ~Writer() { }
+
+    virtual void refCountIncrease() = 0;
+    virtual void refCountDecreaseAndCheck() = 0;
+
+    virtual bool init() { return true; }
+    virtual bool write(Transaction *transaction, int parts);
+
+    std::string file_name(const std::string& unique_id);
+
+ protected:
+    AuditLog *m_audit;
+    int m_refereceCount;
+};
+
+}  // namespace audit_log
+}  // namespace modsecurity
+#endif
+
+#endif  // SRC_AUDIT_LOG_WRITER_H_

src/audit_log/writer/parallel.cc

@@ -0,0 +1,142 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "audit_log/writer/parallel.h"
+
+#include <time.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include <fstream>
+
+#include "audit_log/audit_log.h"
+#include "modsecurity/transaction.h"
+#include "src/utils.h"
+#include "utils/md5.h"
+
+namespace modsecurity {
+namespace audit_log {
+namespace writer {
+
+Parallel::~Parallel() {
+    if (log1.is_open()) {
+        log1.close();
+    }
+
+    if (log2.is_open()) {
+        log2.close();
+    }
+}
+
+
+inline std::string Parallel::logFilePath(time_t *t,
+    int part) {
+    struct tm timeinfo;
+    char tstr[300];
+    std::string name("");
+
+    localtime_r(t, &timeinfo);
+
+    if (part & YearMonthDayDirectory) {
+        memset(tstr, '\0', 300);
+        strftime(tstr, 299, "/%Y%m%d", &timeinfo);
+        name = tstr;
+    }
+
+    if (part & YearMonthDayAndTimeDirectory) {
+        memset(tstr, '\0', 300);
+        strftime(tstr, 299, "/%Y%m%d-%H%M", &timeinfo);
+        name = name + tstr;
+    }
+
+    if (part & YearMonthDayAndTimeFileName) {
+        memset(tstr, '\0', 300);
+        strftime(tstr, 299, "/%Y%m%d-%H%M%S", &timeinfo);
+        name = name + tstr;
+    }
+
+    return name;
+}
+
+
+bool Parallel::init() {
+    /** TODO:: Check if the directory exists. */
+    /** TODO:: Checking if we have permission to write in the target dir */
+
+    if (!m_audit->m_path1.empty()) {
+        log1.open(m_audit->m_path1, std::fstream::out | std::fstream::app);
+    }
+
+    if (!m_audit->m_path2.empty()) {
+        log2.open(m_audit->m_path2, std::fstream::out | std::fstream::app);
+    }
+
+    return true;
+}
+
+
+bool Parallel::write(Transaction *transaction, int parts) {
+    FILE *fp;
+    int fd;
+    std::string log = transaction->toJSON(parts);
+    std::string fileName = logFilePath(&transaction->m_timeStamp,
+        YearMonthDayDirectory | YearMonthDayAndTimeDirectory
+        | YearMonthDayAndTimeFileName);
+
+    std::string logPath = m_audit->m_storage_dir;
+    fileName = logPath + fileName + "-" + transaction->m_id;
+
+    if (logPath.empty()) {
+      return false;
+    }
+
+    createDir((logPath +
+        logFilePath(&transaction->m_timeStamp, YearMonthDayDirectory)).c_str(),
+        m_audit->directoryPermission);
+    createDir((logPath +
+        logFilePath(&transaction->m_timeStamp, YearMonthDayDirectory
+            | YearMonthDayAndTimeDirectory)).c_str(),
+        m_audit->directoryPermission);
+
+    fd = open(fileName.c_str(), O_CREAT | O_WRONLY, m_audit->filePermission);
+    if (fd < 0) {
+        return false;
+    }
+    fp = fdopen(fd, "w");
+    fwrite(log.c_str(), log.length(), 1, fp);
+    fclose(fp);
+
+    if (log1.is_open() && log2.is_open()) {
+        log2 << transaction->toOldAuditLogFormatIndex(fileName, log.length(),
+            md5(log));
+    }
+    if (log1.is_open() && !log2.is_open()) {
+        log1 << transaction->toOldAuditLogFormatIndex(fileName, log.length(),
+            md5(log));
+    }
+    if (!log1.is_open() && log2.is_open()) {
+        log2 << transaction->toOldAuditLogFormatIndex(fileName, log.length(),
+            md5(log));
+    }
+
+    return true;
+}
+
+}  // namespace writer
+}  // namespace audit_log
+}  // namespace modsecurity

src/audit_log/writer/parallel.h

@@ -0,0 +1,85 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <string>
+
+#ifndef SRC_AUDIT_LOG_WRITER_PARALLEL_H_
+#define SRC_AUDIT_LOG_WRITER_PARALLEL_H_
+
+#include "audit_log/writer.h"
+#include "modsecurity/transaction.h"
+
+#ifdef __cplusplus
+
+namespace modsecurity {
+namespace audit_log {
+namespace writer {
+
+/** @ingroup ModSecurity_CPP_API */
+class Parallel : public audit_log::Writer {
+ public:
+    explicit Parallel(AuditLog *audit)
+        : audit_log::Writer(audit) { }
+
+    ~Parallel() override;
+    bool init() override;
+    bool write(Transaction *transaction, int parts) override;
+
+    void refCountIncrease() override {
+        m_refereceCount++;
+    }
+
+
+    void refCountDecreaseAndCheck() override {
+        m_refereceCount--;
+        if (m_refereceCount == 0) {
+            delete this;
+        }
+    }
+
+    /**
+     *
+     * Audit log file is saved into a directory structure. This directory
+     * structure is based on the timestamp of the transaction creation, at
+     * the exact moment that ModSecurity be aware of a particular
+     * request/transaction.
+     * The expect fromat is:
+     *
+     * [...]/YearMonthDay/YearMonthDayAndTime/YearMonthDayAndTime-RequestId
+     *
+     * Example:
+     *
+     * /20150710/20150710-1353/20150710-135353-143654723362.584244
+     *
+     * This enumeration describes the subpaths of this structure.
+     *
+     */
+    enum AuditLogFilePath {
+     YearMonthDayDirectory = 2,
+     YearMonthDayAndTimeDirectory = 4,
+     YearMonthDayAndTimeFileName = 8,
+    };
+
+    std::ofstream log1;
+    std::ofstream log2;
+    inline std::string logFilePath(time_t *t, int part);
+};
+
+}  // namespace writer
+}  // namespace audit_log
+}  // namespace modsecurity
+#endif
+
+#endif  // SRC_AUDIT_LOG_WRITER_PARALLEL_H_

src/audit_log/writer/serial.cc

@@ -0,0 +1,68 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "audit_log/writer/serial.h"
+
+// #include <mutex>
+
+#include "audit_log/audit_log.h"
+
+namespace modsecurity {
+namespace audit_log {
+namespace writer {
+// static std::mutex serialLoggingMutex;
+
+
+Serial::~Serial() {
+    m_log.close();
+}
+
+
+void Serial::generateBoundary(std::string *boundary) {
+    static const char alphanum[] =
+        "0123456789"
+        "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+        "abcdefghijklmnopqrstuvwxyz";
+
+    for (int i = 0; i < SERIAL_AUDIT_LOG_BOUNDARY_LENGTH; ++i) {
+        boundary->append(1, alphanum[rand() % (sizeof(alphanum) - 1)]);
+    }
+}
+
+
+bool Serial::init() {
+    m_log.open(m_audit->m_path1, std::fstream::out | std::fstream::app);
+    return true;
+}
+
+
+bool Serial::write(Transaction *transaction, int parts) {
+    std::string boundary;
+
+    generateBoundary(&boundary);
+
+    // serialLoggingMutex.lock();
+
+    m_log << transaction->toOldAuditLogFormat(parts, "-" + boundary + "--");
+    m_log.flush();
+
+    // serialLoggingMutex.unlock();
+
+    return true;
+}
+
+}  // namespace writer
+}  // namespace audit_log
+}  // namespace modsecurity

src/audit_log/writer/serial.h

@@ -0,0 +1,75 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#ifdef __cplusplus
+#include <iostream>
+#include <fstream>
+#include <string>
+#endif
+
+#ifndef SRC_AUDIT_LOG_WRITER_SERIAL_H_
+#define SRC_AUDIT_LOG_WRITER_SERIAL_H_
+
+#include "audit_log/writer.h"
+#include "modsecurity/transaction.h"
+
+#ifdef __cplusplus
+
+namespace modsecurity {
+namespace audit_log {
+namespace writer {
+
+#define SERIAL_AUDIT_LOG_BOUNDARY_LENGTH 8
+
+/** @ingroup ModSecurity_CPP_API */
+class Serial : public audit_log::Writer {
+ public:
+    explicit Serial(audit_log::AuditLog *audit)
+        : audit_log::Writer(audit) { }
+
+    ~Serial() override;
+
+    void refCountIncrease() override {
+        m_refereceCount++;
+    }
+
+
+    void refCountDecreaseAndCheck() override {
+        /*
+        m_refereceCount--;
+
+
+        if (m_refereceCount == 0) {
+        */
+        delete this;
+        /*
+        /}
+        */
+    }
+
+    bool init() override;;
+    bool write(Transaction *transaction, int parts) override;
+
+ private:
+    std::ofstream m_log;
+    void generateBoundary(std::string *boundary);
+};
+
+}  // namespace writer
+}  // namespace audit_log
+}  // namespace modsecurity
+#endif
+
+#endif  // SRC_AUDIT_LOG_WRITER_SERIAL_H_