The LFD log area lists log information from the login failure daemon.
| Column | Description |
|---|---|
| ID | The search result of the entry. |
| PID | The process ID of the LFD daemon. |
| Created | The date and time that the entry was created. |
| Message | The message entry. |
Data source: /var/log/lfd.log
The Messenger log area lists log information from the login failure daemon messenger service.
| Column | Description |
|---|---|
| ID | The search result of the entry. |
| PID | The process ID of the LFD daemon. |
| Created | The date and time that the entry was created. |
| Message | The message entry. |
Data source: /var/log/lfd_messenger.log
The web access log area lists the information from the your web servers access log.
| Column | Description |
|---|---|
| Created | The date and time that the entry was created. |
| Client IP | The IP address of the client (remote host) which made the request to the server. |
| Location | The location of the client IP address. |
| Flag | The country flag of the client IP address. |
| Method | The request method used by the client. |
| Request | The client requested resource. |
| Size | The destination IP address. |
| Status | The status code that the server sent back to the client. |
| Referrer | The "Referer" HTTP request header. This gives the site that the client reports having been referred from. |
| User Agent | The User-Agent HTTP request header. This is the identifying information that the client browser reports about itself. |
Data source: /var/log/httpd/access_log
The web error log area lists the information from the your web servers error log.
| Column | Description |
|---|---|
| ID | The search result of the entry. |
| Created | The date and time that the entry was created. |
| Severity | The module / severity of the log entry. |
| Client IP | The IP address of the client (remote host) which made the error. |
| Location | The location of the client IP address. |
| Flag | The country flag of the client IP address. |
| Message | The error message. |
Data source: /var/log/httpd/error_log
The iptables log area lists the information from the iptables log.
| Column | Description |
|---|---|
| ID | The search result of the entry. |
| Created | The date and time that the entry was created. |
| In | The interface name if the direction was incoming |
| Out | The interface name if the direction was outgoing |
| Source | The source IP address. |
| Location | The geo location of the source IP address. |
| Flag | The country flag of the source IP address. |
| SPort | The source port number. |
| Direction | The direction (incoming or outgoing). |
| Destination | The destination IP address. |
| DPort | The destination port number. |
| Protocol | The protocol used. |
| Message | The iptables message. |
Data source: /var/log/messages
The login log area lists your servers SSH and FTP login logs.
| Column | Description |
|---|---|
| User | The system username the user logged in as . |
| Terminal | The terminal (virtual) that was assigned to the user. |
| Domain | The domain name of the system user. |
| Login | The date and time when the user logged in. |
| Logout | The date and time when the user logged out. |
| Duration | The total time the user was logged in for. |
| IP address | The IP address of the user. |
| Location | The geo location of the connecting IP address. |
| Flag | The flag of the country where the IP address was located. |
Data source: /var/log/wtmp
The POP3/IMAP log area lists your servers POP3/IMAP mail client logs.
| Column | Description |
|---|---|
| Created | The date and time that the entry was created. |
| Protocol | The protocol that the user is using (POP3 or IMAP). |
| Message | The message return by dovecot or courier imap. |
| User | The username the user is authenticating with. |
| Client IP | The client IP address of the user. |
| Location | The geo location of the connecting IP address. |
| Flag | The flag of the country where the IP address was located. |
The SMTP auth log area lists your servers authenticated SMTP mail client logs.
| Column | Description |
|---|---|
| Created | The date and time that the entry was created. |
| Message | The message return by qmail or postfix. |
| User | The username the user is authenticating with. |
| Client IP | The client IP address of the user. |
| Location | The geo location of the connecting IP address. |
| Flag | The flag of the country where the IP address was located. |
Data source: /var/log/wtmp
The login log area lists the plesk panel action logs.
| Column | Description |
|---|---|
| Action | The action that was performed by the user or server. |
| Login | The login username that was used by the user. |
| Company | The company that matched the login name. |
| Customer | The customer that matched the login name. |
| IP address | The IP address of the user. |
| Location | The geo location of the connecting IP address. |
| Flag | The flag of the country where the IP address was located. |
Data source: database
The action logs area records all actions that are performed through the web interface.
| Column | Description |
|---|---|
| ID | The database ID of the entry. |
| Created | The date and time that the entry was created. |
| Action | The action that the user performed through the web interface. |
| Login | The username that the user was logged in as. |
| Role | The group that the use was a part of. |
| IP Address | The IP address of the user. |
Data source: database
The application logs area records all error and debug information of the web interface.
| Column | Description |
|---|---|
| ID | The database ID of the entry. |
| Created | The date and time that the entry was created. |
| Message | The message (usually an exception). |
| Level | The log level of the entry (0-8). |
Data source: database
The modsecurity log area lists the information from the modsecurity audit log.
| Column | Description |
|---|---|
| ID | The search result of the entry. |
| Created | The date and time that the entry was created. |
| Source | The source IP address. |
| Location | The geo location of the source IP address. |
| Flag | The country flag of the source IP address. |
| Hostname | Hostname (or IP address, if the hostname is not known) |
| Request | The requested URI if using the OWASP ModSecurity Core Rule Set or the modsecurity message if using the Atomic ruleset |
| Status | The response status code. |
Data source: /var/log/modsec_audit.log
For detailed information about the audit log please read the modsecurity manual here: Github
ModSecurity records one transaction in a single audit log file eg:
/var/log/modsecurity/audit/20140106/20140106-0520/20140106-052016-UsqfgH8AAAEAAApQWnoAAAAF--53018a53-A--
[06/Jan/2014:05:20:20 --0700] UsqfhH8AAAEAAApSZ2oAAAAH 192.168.1.130 55293 192.168.1.162 80
--53018a53-B--
GET /faq.php?action=&type=view&s=&id=-1%2527%2520union%2520select%25200,concat(char(85),char(115)from%2520phpdesk_admin/* HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
If-Modified-Since: Sat, 03 Aug 2013 12:33:34 GMT
If-None-Match: "a08c6-3be-4e30a48a3cd3f"
--53018a53-F--
HTTP/1.1 403 Forbidden
Last-Modified: Sat, 03 Aug 2013 12:33:34 GMT
ETag: "a08c6-3be-4e30a48a3cd3f"
Accept-Ranges: bytes
Content-Length: 958
X-Powered-By: PleskLin
Connection: close
Content-Type: text/html
--53018a53-H--
Message: [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "464"]
[id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"]
[maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"]
Access denied with code 403 (phase 2). Pattern match "\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:id.
Action: Intercepted (phase 2)
Stopwatch: 1389010820667919 1835 (- - -)
Stopwatch2: 1389010820667919 1835; combined=732, p1=191, p2=45, p3=0, p4=0, p5=261, sr=43, sw=1, l=0, gc=234
WAF: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"
--53018a53-Z--The file consist of multiple sections. Specific separators are used to define each section:
--53018a53-A--A separator always begins on a new line and has the following format:
| Part | Description |
|---|---|
| A | audit log header |
| B | request headers |
| C | request body |
| D | intended response headers (NOT IMPLEMENTED YET) |
| E | intended response body |
| F | response headers |
| G | response body (NOT IMPLEMENTED) |
| H | audit log trailer |
| I | reduced multipart request body |
| J | multipart files information (NOT IMPLEMENTED YET) |
| K | matched rules information |
| Z | audit log footer |