#!/usr/bin/perl -w
#
# Written by Todd Giles
# Initial Version - 26 Oct 2006
#
# Script to parse audit_log files output by 'mod_security'
# apache module.  To be used with logwatch.  Feel free
# to use this script, but please send any improvements 
# you might make back to me.
#
# Latest version can always be found here:
#
# http://todd.gileszone.com/2006/10/26/crazy-hackers-mod_security-is-great/
#

use Logwatch ':dates';

my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $ct = 0;
my $SearchDate = TimeFilter('%d/%b/%Y:%H:%M:%S');
my $within_range = 0;

# Check each line
while (defined($ThisLine = <STDIN>)) {
   chomp($ThisLine);

   # Check if this entry is within the date range...
   if ( $ThisLine =~ m/^Request:/ )
   {
       if ($ThisLine =~ m/\[$SearchDate/o) {
	   print $ThisLine."\n";
	   $ct++;	
	   $within_range=1;
       } 
       else
       {
	   $within_range=0;
       }
   }

   # If high detail --- output everything
   if( $Detail > 9 && $within_range )
   {
       print $ThisLine."\n";
   } 
   elsif( $within_range && $ThisLine =~ m/^mod_security-message/ )
   {
       # Output the security message (if within date range)
       print $ThisLine."\n";
       print "\n";
   }

}

if( $ct > 0 ) 
{
    print $ct." attempts blocked...\n";
}

exit(0)