Child pages
  • WHM API 1 Functions - modsec_get_log
Skip to end of metadata
Go to start of metadata

Description

This function retrieves ModSecurity™ log entries from the modsec MySQL® database.

Important:

In cPanel & WHM version 76 and later, when you disable the WebServer role, the system disables this function. For more information, read our How to Use Server Profiles documentation.

Examples 


 JSON API
https://hostname.example.com:2087/cpsess##########/json-api/modsec_get_log?api.version=1
 XML API
https://hostname.example.com:2087/cpsess##########/xml-api/modsec_get_log?api.version=1
 Command Line
whmapi1 modsec_get_log


Notes:

  • You must URI-encode values.
  • For more information and additional output options, read our Guide to WHM API 1 documentation or run the whmapi1 --help command.
  • If you run CloudLinux™, you must use the full path of the whmapi1 command:

    /usr/local/cpanel/bin/whmapi1

 Output (JSON)
{
    "data": {
        "data": [
            {
                "meta_id": "981054",
                "ip": "10.1.1.100",
                "file_exists": 1,
                "http_version": "HTTP/1.1",
                "reportable": 1,
                "meta_line": "24",
                "timestamp": "2014-11-10 13:33:08",
                "meta_uri": null,
                "id": "28",
                "http_method": "GET",
                "http_status": "403",
                "timezone": "-360",
                "meta_file": "/usr/local/apache/conf/modsec_vendor_configs/OWASP/optional_rules/modsecurity_crs_16_session_hijacking.conf",
                "action_desc": "Access denied with code 403 (phase 1).",
                "meta_logdata": null,
                "path": "/favicon.ico",
                "host": "server.example.com",
                "handler": null,
                "meta_offset": "0",
                "meta_rev": null,
                "justification": "Operator EQ matched 1 at SESSION:IS_NEW.",
                "meta_severity": null,
                "meta_msg": "Invalid SessionID Submitted."
            },
            {
                "meta_id": "981054",
                "ip": "10.1.1.100",
                "file_exists": 1,
                "http_version": "HTTP/1.1",
                "reportable": 1,
                "meta_line": "24",
                "timestamp": "2014-11-10 13:33:08",
                "meta_uri": null,
                "id": "27",
                "http_method": "GET",
                "http_status": "403",
                "timezone": "-360",
                "meta_file": "/usr/local/apache/conf/modsec_vendor_configs/OWASP/optional_rules/modsecurity_crs_16_session_hijacking.conf",
                "action_desc": "Access denied with code 403 (phase 1).",
                "meta_logdata": null,
                "path": "/~example/sys_cpanel/images/bottombody.jpg",
                "host": "server.example.com",
                "handler": null,
                "meta_offset": "0",
                "meta_rev": null,
                "justification": "Operator EQ matched 1 at SESSION:IS_NEW.",
                "meta_severity": null,
                "meta_msg": "Invalid SessionID Submitted."
            }
        ]
    },
    "metadata": {
        "version": 1,
        "reason": "OK",
        "result": 1,
        "command": "modsec_get_log"
    }
}
 Output (XML)
<result>
    <data>
        <data>
            <meta_id>981054</meta_id>
            <ip>10.1.1.100</ip>
            <file_exists>1</file_exists>
            <http_version>HTTP/1.1</http_version>
            <reportable>1</reportable>
            <meta_line>24</meta_line>
            <timestamp>2014-11-10 13:33:08</timestamp>
            <meta_uri/>
            <id>28</id>
            <http_method>GET</http_method>
            <http_status>403</http_status>
            <timezone>-360</timezone>
            <meta_file>
/usr/local/apache/conf/modsec_vendor_configs/OWASP/optional_rules/modsecurity_crs_16_session_hijacking.conf
</meta_file>
            <action_desc>Access denied with code 403 (phase 1).</action_desc>
            <meta_logdata/>
            <path>/favicon.ico</path>
            <host>server.example.com</host>
            <handler/>
            <meta_offset>0</meta_offset>
            <meta_rev/>
            <justification>Operator EQ matched 1 at SESSION:IS_NEW.</justification>
            <meta_severity/>
            <meta_msg>Invalid SessionID Submitted.</meta_msg>
        </data>
        <data>
            <meta_id>981054</meta_id>
            <ip>10.1.1.100</ip>
            <file_exists>1</file_exists>
            <http_version>HTTP/1.1</http_version>
            <reportable>1</reportable>
            <meta_line>24</meta_line>
            <timestamp>2014-11-10 13:33:08</timestamp>
            <meta_uri/>
            <id>27</id>
            <http_method>GET</http_method>
            <http_status>403</http_status>
            <timezone>-360</timezone>
            <meta_file>
/usr/local/apache/conf/modsec_vendor_configs/OWASP/optional_rules/modsecurity_crs_16_session_hijacking.conf
</meta_file>
            <action_desc>Access denied with code 403 (phase 1).</action_desc>
            <meta_logdata/>
            <path>/~example/sys_cpanel/images/bottombody.jpg</path>
            <host>server.example.com</host>
            <handler/>
            <meta_offset>0</meta_offset>
            <meta_rev/>
            <justification>Operator EQ matched 1 at SESSION:IS_NEW.</justification>
            <meta_severity/>
            <meta_msg>Invalid SessionID Submitted.</meta_msg>
        </data>
    </data>
    <metadata>
        <version>1</version>
        <reason>OK</reason>
        <result>1</result>
        <command>modsec_get_log</command>
    </metadata>
</result>


Note:

Use WHM's API Shell interface (WHM >> Home >> Development >> API Shell) to directly test WHM API calls.

Parameters

This function does not accept parameters.

Returns

ReturnTypeDescriptionPossible valuesExample
dataarray of hashesA hash that contains information about the log entry.Each hash includes the meta_id, id, ip, http_version, meta_line, timestamp, meta_uri, http_method, http_status, timezone, meta_file, action_desc, meta_logdata, path, host, handler, meta_offset, meta_rev, justification, meta_severity, meta_msg, file_exists, and reportable returns. 

meta_id

integer

The ID of the ModSecurity rule that triggered the log entry.

The function returns this value in the data array.

A valid ModSecurity ID.
960032

id

integer

The line number from the modsec database.

The function returns this value in the data array.

A positive integer.28

ip

integer

The client's IP address.

The function returns this value in the data array.

A valid IP address.
10.1.14.77

http_version

string

The HTTP version number.

The function returns this value in the data array.

A valid string.
HTTP/1.1

meta_line

integer

The ModSecurity rule's line number that triggered the log entry.

The function returns this value in the data array.

A positive integer.31

timestamp

string

When the system recorded the log entry.

The function returns this value in the data array.

 

A valid date in YYYY-MM-DD HH:mm:SS format:

  • YYYY represents the year
  • MM represents the month
  • DD represents the day
  • HH represents the hour
  • mm represents the minute
  • DD represents the day.

Note:

This value uses the server's configured time zone. 

2014-10-13 07:58:04

meta_uri

string

The client-requested URI.

The function returns this value in the data array.

A valid URI.

Note:

This data is not always available.

 

http_method

string

The HTTP method that the client used to generate the hit.

The function returns this value in the data array.

A valid HTTP method.GET

http_status

integer

The HTTP status code that the web server returned.

The function returns this value in the data array.

A valid HTTP status code.406

timezone

integer

The server's configured timezone.

The function returns this value in the data array.

A valid timezone bias, measured in minutes difference from UTC/GMT.

 

-300

meta_file

string

The ModSecurity configuration file with the rule that triggered the log entry.

The function returns this value in the data array.

A valid file path and name.
 Click to view...

/usr/local/apache/conf/modsec_vendor_configs/OWASP/base_rules/modsecurity_crs_30_http_policy.conf 

action_desc

string

The web server's response to the client.

The function returns this value in the data array.

A valid string.

Access denied with code 406 (phase 1).

meta_logdata

string

The transaction data fragment from the ModSecurity rule's logdata action.

The function returns this value in the data array.

A valid string.GET

path

string

The accessed file's path.

The function returns this value in the data array.

An absolute path and filename.

/favicon.ico

host

string

The virtual host's domain name.

The function returns this value in the data array.

A valid hostname.xtest1.tld

handler

string

This parameter only returns null.

The function returns this value in the data array.

null

null

meta_offset

integer

The byte offset at which a match occurred within the target data.

The function returns this value in the data array.

 A valid integer.

Note:

This data is not always available.

 0

meta_rev

integer

The revision number from the ModSecurity rule's rev action.

The function returns this value in the data array.

A positive integer. 2

justification

string

The specific criteria from the ModSecurity rule that generated the hit.

The function returns this value in the data array.

A valid string.
 Click to view...

Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required.

 

 

meta_severity

string

The hit severity level from the ModSecurity rule's severity action.

The function returns this value in the data array.

A valid string.CRITICAL

meta_msg

string

The human-readable message from the ModSecurity rule's msg action.

The function returns this value in the data array.

A valid string.

Method is not allowed by policy

file_exists

Boolean

Whether the file in the meta_file return exists.

The function returns this parameter in the data hash.

  • 1 — The file exists.
  • 0 — The files does not exist.
1

reportable

Boolean

Whether the system can report the rule to the vendor.

Note:

The vendor must have configured a report URL in order to report a rule.

The function returns this parameter in the data   hash.  

  • 1 — Report the rule to the vendor.
  • 0 — Do not report the rule to the vendor.
1