Check triggered ModSecurity Rules on Nginx audit logs.

This time writing about how to check triggered ModSecurity rules on Nginx audit logs. This useful to check triggered ModSecurity rules on nginx audit logs for which rules ID, IP and URL of related connection.

Here’s the command

#grep “\[id” /var/log/modsec_audit.log| sed -E -e ‘s#^.*\[id “([0-9]*).*hostname “([a-z0-9\-\_\.]*)”].*uri “(.*?)”.*”#\1 \2 \3#’ | cut -d\" -f1 | sort -n | uniq -c | sort -nthe command;