cscli parsers install barnoux/caddy-corazaParser for parsing coraza logs from Caddy coraza-caddy runtime error logs.
You need to specify caddy config to enable logging in a file and configure the coraza module:
1{2 # coraza_waf first must be always included in your Caddyfile for Coraza module to work.3 order coraza_waf first45 # The log global option is for Caddy’s runtime logs, i.e. all the logs, and not only "access.log".6 log {7 level INFO8 output file /var/log/caddy/caddy-runtime.log9 }10}1112:80 {13 log1415 # Defining the directives for coraza.16 coraza_waf {17 directives `18 Include /ruleset/coraza.conf19 Include /ruleset/theappyouwanttoprotect/crs-setup.conf20 Include /ruleset/coreruleset/rules/*.conf21 `22 }2324 # Set this path to your site's directory.25 root * /usr/share/caddy2627 # Enable the static file server.28 file_server2930 # Another common task is to set up a reverse proxy:31 # reverse_proxy localhost:80803233 # Or serve a PHP site through php-fpm:34 # php_fastcgi localhost:900035}
be carefull to check the acquisition file of caddy to match with the output file defined in the Caddyfile like :
1---2filenames:3 - /var/log/caddy/caddy-runtime.log4labels:5 type: caddy
1filter: "evt.Parsed.program startsWith 'caddy'"2onsuccess: next_stage3name: barnoux/caddy-coraza4description: "Parse coraza, logs from the web server caddy"5pattern_syntax:6 MODSECCADDYPREFIX: "\\[client \\\\\"%{IP:client}\\\\\"\\] Coraza: %{GREEDYDATA:modsecmessage}"7 MODSECCADDYFILE: "\\[file \\\\\"%{DATA:rulefile}\\\\\"\\]"8 MODSECCADDYLINE: "\\[line \\\\\"%{DATA:ruleline}\\\\\"\\]"9 MODSECCADDYOFFSET: "\\[offset \\\\\"%{DATA:matchoffset}\\\\\"\\]"10 MODSECCADDYID: "\\[id \\\\\"%{DATA:ruleid}\\\\\"\\]"11 MODSECCADDYREV: "\\[rev \\\\\"%{DATA:rulerev}\\\\\"\\]"12 MODSECCADDYMSG: "\\[msg \\\\\"%{DATA:rulemessage}\\\\\"\\]"13 MODSECCADDYDATA: "\\[data \\\\\"%{DATA:ruledata}\\\\\"\\]"14 MODSECCADDYSEVERITY: "\\[severity \\\\\"%{DATA:ruleseverity}\\\\\"\\]"15 MODSECCADDYMATURITY: "\\[maturity \\\\\"%{DATA:maturity}\\\\\"\\]"16 MODSECCADDYACCURACY: "\\[accuracy \\\\\"%{DATA:accuracy}\\\\\"\\]"17 MODSECCADDYVERS: "\\[ver \\\\\"%{DATA:version}\\\\\"\\]"18 MODSECCADDYTAGS: "(?:\\[tag \\\\\"%{DATA:ruletag0}\\\\\"\\] )?(?:\\[tag \\\\\\\"%{DATA:ruletag1}\\\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag2}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag3}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag4}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag5}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag6}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag7}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag8}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA:ruletag9}\\\\\"\\] )?(?:\\[tag \\\\\"%{DATA}\\\\\"\\] )*"19 MODSECCADDYHOSTNAME: "\\[hostname \\\\['\\\"]%{DATA:targethost}\\\\[\\\"']\\]"20 MODSECCADDYURI: "\\[uri \\\\[\\\"']%{DATA:targeturi}\\\\[\\\"']\\]"21 MODSECCADDYUID: "\\[unique_id \\\\\"%{DATA:uniqueid}\\\\\"\\]"22 MODSECCADDYREF: "\\[ref \\\\\"%{DATA:ref}\\\\\"\\]"23 MODSECCADDYERROR: "%{MODSECCADDYPREFIX} %{MODSECCADDYFILE} %{MODSECCADDYLINE} (?:%{MODSECCADDYOFFSET} )?(?:%{MODSECCADDYID} )?(?:%{MODSECCADDYREV} )?(?:%{MODSECCADDYMSG} )?(?:%{MODSECCADDYDATA} )?(?:%{MODSECCADDYSEVERITY} )?(?:%{MODSECCADDYVERS} )?(?:%{MODSECCADDYMATURITY} )?(?:%{MODSECCADDYACCURACY} )?%{MODSECCADDYTAGS}%{MODSECCADDYHOSTNAME} %{MODSECCADDYURI} %{MODSECCADDYUID}"24nodes:25 - grok:26 name: MODSECCADDYERROR27 apply_on: Line.Raw28 statics:29 - meta: log_type30 value: modsecurity31 - meta: rule_id32 expression: evt.Parsed.ruleid33 - meta: modsec_ruledata34 expression: evt.Parsed.ruledata35 - meta: modsec_message36 expression: evt.Parsed.rulemessage37 - meta: rule_id38 expression: evt.Parsed.ruleid39 - meta: source_ip40 expression: evt.Parsed.client41statics:42 - target: evt.StrTime43 expression: JsonExtract(evt.Parsed.message, 'ts')4445