changed modsecurity logs location

2025-02-09 17:05:57 +08:00 · 2025-02-09 17:05:57 +08:00 · 237116f251
parent 398b881178
commit 237116f251
6 changed files with 102 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@ -20,9 +20,7 @@
 # server
 server/server
-# nginx logs
+# logs
-docker/suricata/nginx/logs/access.log
+**/*.log
-docker/suricata/nginx/logs/error.log
+**/*.pcap*
-
+**/eve.json
 # suricata logs
 docker/suricata/suricata/logs/*
--- a/docker/chungus/docker-compose.yml
+++ b/docker/chungus/docker-compose.yml
@ -29,9 +29,9 @@ services:
      PARANOIA: 1
    network_mode: "host"
    volumes:
-      - "/tmp/host-fs-auditlog.log:/var/log/modsec_audit.log"
+      - "./logs/host-fs-auditlog.log:/var/log/modsec_audit.log"
-      - "/tmp/host-fs-errorlog.log:/var/log/modsec_error.log"
+      - "./logs/host-fs-errorlog.log:/var/log/modsec_error.log"
-      - "/tmp/host-fs-accesslog.log:/var/log/apache2/access.log"
+      - "./logs/host-fs-accesslog.log:/var/log/apache2/access.log"
  dvwa:
    image: vulnerables/web-dvwa
--- a/docker/chungus/setup.sh
+++ b/docker/chungus/setup.sh
@ -1,6 +1,7 @@
-touch /tmp/host-fs-auditlog.log
+mkdir logs
-touch /tmp/host-fs-errorlog.log
+touch ./logs/host-fs-auditlog.log
-touch /tmp/host-fs-accesslog.log
+touch ./logs/host-fs-errorlog.log
-chmod 777 /tmp/host-fs-auditlog.log
+touch ./logs/host-fs-accesslog.log
-chmod 777 /tmp/host-fs-errorlog.log
+chmod 777 ./logs/host-fs-auditlog.log
-chmod 777 /tmp/host-fs-accesslog.log
+chmod 777 ./logs/host-fs-errorlog.log
 chmod 777 ./logs/host-fs-accesslog.log
--- a/server/go.mod
+++ b/server/go.mod
@ -5,6 +5,7 @@ go 1.23.2
 require github.com/jackc/pgx/v5 v5.7.1
 require (
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/go-telegram-bot-api/telegram-bot-api/v5 v5.5.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
@ -14,5 +15,6 @@ require (
 	github.com/tidwall/pretty v1.2.0 // indirect
 	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 )
--- a/server/go.sum
+++ b/server/go.sum
@ -1,6 +1,8 @@
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/go-telegram-bot-api/telegram-bot-api/v5 v5.5.1 h1:wG8n/XJQ07TmjbITcGiUaOtXxdrINDz1b0J1w0SzqDc=
 github.com/go-telegram-bot-api/telegram-bot-api/v5 v5.5.1/go.mod h1:A2S0CWkNylc2phvKXWBBdD3K0iGnDBGbzRpISP2zBl8=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@ -28,6 +30,8 @@ golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/server/internal/telegram/telegram.go
+++ b/server/internal/telegram/telegram.go
@ -2,21 +2,29 @@ package telegram
 import (
 	"bufio"
 	"encoding/json"
 	"fmt"
 	"io"
 	"log"
 	"os"
 	"time"
 	"github.com/fsnotify/fsnotify"
 	tg "github.com/go-telegram-bot-api/telegram-bot-api/v5"
 )
 const (
-	modsecLogFile  = "/tmp/host-fs-auditlog.log"
+	modsecLogFile  = "/home/vomitblood/build/cspj-application/docker/chungus/logs/host-fs-auditlog.log"
 	telegramToken  = "7215466800:AAGwjZnXEfbbjQiA0y7qtSzbSZNUWQJnyjo"
 	telegramChatID = 622943829
 )
 var lastReadPosition int64 = 0
 type LogEntry struct {
 	AuditData struct {
 		Messages []string `json:"messages"`
 	} `json:"audit_data"`
 }
 func TelegramBotInit() {
 	bot, err := tg.NewBotAPI(telegramToken)
 	if err != nil {
@ -32,28 +40,85 @@ func TelegramBotInit() {
 		log.Fatal("Failed to send test message:", err)
 	}
-	// open the log file
+	// Start watching the log file for changes
-	logFile, err := os.Open(modsecLogFile)
+	watchLogFile(bot)
 }
 func watchLogFile(bot *tg.BotAPI) {
 	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
-		log.Fatal("Failed to open log file:", err)
+		log.Fatal("Failed to initialize watcher:", err)
 	}
-	defer logFile.Close()
+	defer watcher.Close()
-	// seek to the end of the file to read only new entries
+	// Add log file to watcher
-	logFile.Seek(0, io.SeekEnd)
+	err = watcher.Add(modsecLogFile)
 	if err != nil {
 		log.Fatal("Failed to watch log file:", err)
 	}
 	log.Println("🔍 Monitoring log file for changes...")
 	reader := bufio.NewReader(logFile)
 	for {
-		line, err := reader.ReadString('\n')
+		select {
-		if err == nil {
+		case event, ok := <-watcher.Events:
-			sendTelegramAlert(bot, line)
+			if !ok {
 				return
 			}
 			if event.Op&fsnotify.Write == fsnotify.Write {
 				log.Println("📄 Log file updated, reading new entries...")
 				readNewLines(bot)
 			}
 		case err, ok := <-watcher.Errors:
 			if !ok {
 				return
 			}
 			log.Println("⚠️ Watcher error:", err)
 		}
-		// maybe change this logic? interrupt vs polling??????
+	}
-		time.Sleep(1 * time.Second)
+}
 func readNewLines(bot *tg.BotAPI) {
 	file, err := os.Open(modsecLogFile)
 	if err != nil {
 		log.Println("❌ Failed to reopen log file:", err)
 		return
 	}
 	defer file.Close()
 	// Move to the last read position
 	file.Seek(lastReadPosition, os.SEEK_SET)
 	scanner := bufio.NewScanner(file)
 	for scanner.Scan() {
 		line := scanner.Text()
 		var logEntry LogEntry
 		// Try to parse JSON
 		if err := json.Unmarshal([]byte(line), &logEntry); err != nil {
 			log.Println("⚠️ Failed to parse JSON:", err)
 			continue // Skip invalid JSON lines
 		}
 		// Send only the first message from messages[]
 		if len(logEntry.AuditData.Messages) > 0 {
 			sendTelegramAlert(bot, logEntry.AuditData.Messages[0])
 		}
 	}
 	// Update last read position
 	lastReadPosition, _ = file.Seek(0, os.SEEK_CUR)
 	if err := scanner.Err(); err != nil {
 		log.Println("❌ Error reading log file:", err)
 	}
 }
 func sendTelegramAlert(bot *tg.BotAPI, message string) {
-	msg := tg.NewMessage(telegramChatID, fmt.Sprintf("*WEEWOO ALERT*\n%s", message))
+	msg := tg.NewMessage(telegramChatID, fmt.Sprintf("🚨 *WEEWOO ALERT* 🚨\n%s", message))
-	bot.Send(msg)
+	_, err := bot.Send(msg)
 	if err != nil {
 		log.Println("❌ Failed to send Telegram message:", err)
 	}
 }