caddy-coraza Log Parser

Parser for parsing coraza logs from Caddy coraza-caddy runtime error logs.

You need to specify caddy config to enable logging in a file and configure the coraza module:

{
	# coraza_waf first must be always included in your Caddyfile for Coraza module to work.
	order coraza_waf first

	# The log global option is for Caddy’s runtime logs, i.e. all the logs, and not only "access.log".
	log {
		level INFO
		output file /var/log/caddy/caddy-runtime.log
	}
}

:80 {
	log

	# Defining the directives for coraza.
	coraza_waf {
		directives `
		Include /ruleset/coraza.conf
		Include /ruleset/theappyouwanttoprotect/crs-setup.conf
		Include /ruleset/coreruleset/rules/*.conf
		`
	}

        # Set this path to your site's directory.
        root * /usr/share/caddy

        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        # reverse_proxy localhost:8080

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000
}

be carefull to check the acquisition file of caddy to match with the output file defined in the Caddyfile like :

---
filenames:
 - /var/log/caddy/caddy-runtime.log
labels:
  type: caddy

1filter: "evt.Parsed.program startsWith 'caddy'"

2onsuccess: next_stage

3name: barnoux/caddy-coraza

4description: "Parse coraza, logs from the web server caddy"

5pattern_syntax:

6 MODSECCADDYPREFIX: "\\[client \\\\\"%{IP:client}\\\\\"\\] Coraza: %{GREEDYDATA:modsecmessage}"

7 MODSECCADDYFILE: "\\[file \\\\\"%{DATA:rulefile}\\\\\"\\]"

8 MODSECCADDYLINE: "\\[line \\\\\"%{DATA:ruleline}\\\\\"\\]"

9 MODSECCADDYOFFSET: "\\[offset \\\\\"%{DATA:matchoffset}\\\\\"\\]"

10 MODSECCADDYID: "\\[id \\\\\"%{DATA:ruleid}\\\\\"\\]"

11 MODSECCADDYREV: "\\[rev \\\\\"%{DATA:rulerev}\\\\\"\\]"

12 MODSECCADDYMSG: "\\[msg \\\\\"%{DATA:rulemessage}\\\\\"\\]"

13 MODSECCADDYDATA: "\\[data \\\\\"%{DATA:ruledata}\\\\\"\\]"

14 MODSECCADDYSEVERITY: "\\[severity \\\\\"%{DATA:ruleseverity}\\\\\"\\]"

15 MODSECCADDYMATURITY: "\\[maturity \\\\\"%{DATA:maturity}\\\\\"\\]"

16 MODSECCADDYACCURACY: "\\[accuracy \\\\\"%{DATA:accuracy}\\\\\"\\]"

17 MODSECCADDYVERS: "\\[ver \\\\\"%{DATA:version}\\\\\"\\]"

18 MODSECCADDYTAGS: "(?:\\[tag \\\\\"%{DATA:ruletag0}\\\\\"\\] )?(?:\\[tag \\\\\\\"%{DATA:ruletag1}\\\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag2}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag3}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag4}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag5}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag6}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag7}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag8}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag9}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA}\\\\\"\\] )*"

19 MODSECCADDYHOSTNAME: "\\[hostname \\\\['\\\"]%{DATA:targethost}\\\\[\\\"']\\]"

20 MODSECCADDYURI: "\\[uri \\\\[\\\"']%{DATA:targeturi}\\\\[\\\"']\\]"

21 MODSECCADDYUID: "\\[unique_id \\\\\"%{DATA:uniqueid}\\\\\"\\]"

22 MODSECCADDYREF: "\\[ref \\\\\"%{DATA:ref}\\\\\"\\]"

23 MODSECCADDYERROR: "%{MODSECCADDYPREFIX} %{MODSECCADDYFILE} %{MODSECCADDYLINE} (?:%{MODSECCADDYOFFSET} )?(?:%{MODSECCADDYID} )?(?:%{MODSECCADDYREV} )?(?:%{MODSECCADDYMSG} )?(?:%{MODSECCADDYDATA} )?(?:%{MODSECCADDYSEVERITY} )?(?:%{MODSECCADDYVERS} )?(?:%{MODSECCADDYMATURITY} )?(?:%{MODSECCADDYACCURACY} )?%{MODSECCADDYTAGS}%{MODSECCADDYHOSTNAME} %{MODSECCADDYURI} %{MODSECCADDYUID}"

24nodes:

25 - grok:

26 name: MODSECCADDYERROR

27 apply_on: Line.Raw

28 statics:

29 - meta: log_type

30 value: modsecurity

31 - meta: rule_id

32 expression: evt.Parsed.ruleid

33 - meta: modsec_ruledata

34 expression: evt.Parsed.ruledata

35 - meta: modsec_message

36 expression: evt.Parsed.rulemessage

37 - meta: rule_id

38 expression: evt.Parsed.ruleid

39 - meta: source_ip

40 expression: evt.Parsed.client

41statics:

42 - target: evt.StrTime

43 expression: JsonExtract(evt.Parsed.message, 'ts')

Hub configuration

« caddy-coraza »
v0.1 by barnoux
Log parser

Hub configuration

« caddy-coraza »v0.1 by barnouxLog parser

« caddy-coraza »
v0.1 by barnoux
Log parser