0

I wonder if it's possible to change time format which Modsecurity 3 uses in its audit log. I came across that time format differs depending on SecAuditLogFormat setting. When it's Native, timezone is present:

---immbqR4e---A--
[16/Jun/2020:11:24:03 +0300]

But if switched to JSON, there's no timezone (time is local not the UTC):

"time_stamp":"Tue Jun 16 11:24:03 2020"

This is rather inconvenient for log aggregation and processing, especially when the server running Modsecurity is located in region with daylight saving time. Unfortunately, I couldn't find any information on this issue. I'd appreciate any advice.

P. D
  • 11
  • 1

1 Answers1

0

Did you tried to edit SecAuditLogParts

SecAuditLogParts ABCFHZ

H Audit log trailer

Contains information on whether the request was allowed or denied, and the relevant HTTP status code as well as the ModSecurity message as it appears in the Apache error log. Also contains a timestamp and the server string (as it would appear without any of the modifications that may have been made to it using SecServerSignature).

A Audit log header

Boundary that signifies the start of the audit log entry.

Contains the time and date stamp of the log entry as well as the client and server IP address. Also contains the unique ID for the log entry, which makes it easy to find the request in the Apache log files.

This option is mandatory and will be implicitly included if you don't specify it.

Marat Gainutdinov
  • 160
  • 6
  • Thanks for the reply. Log blocks which I used in the question as example both represent the very first part of the log entry (A Audit log header). But in case of Native format, it contains timezone in the timestamp, and if case of JSON format it doesn't. – P. D Jun 16 '20 at 08:47