0

我正在使用 ModSecurity 和我Audit Log的 json 对象的日志流,如下所示:

{"transaction":{"time":"28/Mar/2017:15:39:04 +0200","transaction_id":"18158513699705323558","remote_address":"","remote_port":80,"local_address":"127.0.0.1","local_port":80},"request":{"request_line":"GET /iisstart.htm HTTP/1.1","headers":{"Connection":"keep-alive","Content-Length":"0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Encoding":"gzip, deflate, sdch, br","Accept-Language":"sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4","Cookie":"__RequestVerificationToken_L1RyaWdnZXJmaXNoQ2hlY2tlcg2=5nsH5sCVPvlJkp2YTy6WfYQZaKVxA29eUNBnNIc_c_MvRN2mcbMzidOcQ08ZiVIzUSi66El47gpRMhUGSXQp80iesDfwrQBs9sHLf8fjIA01; .AspNet.ApplicationCookie=rURcshk7kll_zQlPMEBpFjDu3Pah-k__4WpYefzrps_Fe6IDVSzZwp2mRzhlYbSwcGv0f8mITnGmKm6bHcif1G1hHJcOm-SRYIK6_f4jiAFRH4Bw95dcbErunAJsxhI72jLEuGm9cifuIyxRWFjDcDDq5KS6Qvs8I359H_gXYjYUyTFAkTP90mgpNHVV8Z3jrIHCGGIWvB0Un7qC0mXt_09fuX7YA2PZXN5qeVfAhyOhEB1buIIEaRfTlzqIdECW_09bQXoCDO6srg3nzhiQ_UdGUveiBlG06VfVV6RgpMix_T7dBQIUKbD3xRk-hacWrpWfgMkE6hAi1DDA8Y3dFLJof4bX_gfAt4293u7EtEXN1SiiA0Y120IuwuG8Eo3DX0moFM292XtVE_9ZCgdesTvjseuk6yncjrKuvdpfDzh8BnT_oyQWRURv_WMp-KC7ju_4RxnMa3yx1K2pSC5Yn4aSMYCtihrzRRxd50AhVNJezn3YsOzzWJp9HKDYTV4r","Host":"localhost","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","Upgrade-Insecure-Requests":"1"},"body":[]},"response":{"protocol":"HTTP/1.1","status":0,"headers":{}},"audit_data":{"messages":["collections_remove_stale: Failed to access DBM file \"C:/inetpub/temp/global\": Access is denied.  ","collections_remove_stale: Failed to access DBM file \"C:/inetpub/temp/ip\": Access is denied.  "],"handler":"IIS","stopwatch":{"p1":0,"p2":10052,"p3":0,"p4":0,"p5":501,"sr":0,"sw":0,"l":0,"gc":501},"producer":["ModSecurity for IIS (STABLE)/2.9.1 (http://www.modsecurity.org/)","OWASP_CRS/2.2.9","OWASP_CRS/3.0.0"],"server":"ModSecurity Standalone","engine_mode":"DETECTION_ONLY"}}
{"transaction":{"time":"28/Mar/2017:15:39:04 +0200","transaction_id":"18158513699705323558","remote_address":"","remote_port":80,"local_address":"127.0.0.1","local_port":80},"request":{"request_line":"GET / HTTP/1.1","headers":{"Connection":"keep-alive","Content-Length":"0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Encoding":"gzip, deflate, sdch, br","Accept-Language":"sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4","Cookie":"__RequestVerificationToken_L1RyaWdnZXJmaXNoQ2hlY2tlcg2=5nsH5sCVPvlJkp2YTy6WfYQZaKVxA29eUNBnNIc_c_MvRN2mcbMzidOcQ08ZiVIzUSi66El47gpRMhUGSXQp80iesDfwrQBs9sHLf8fjIA01; .AspNet.ApplicationCookie=rURcshk7kll_zQlPMEBpFjDu3Pah-k__4WpYefzrps_Fe6IDVSzZwp2mRzhlYbSwcGv0f8mITnGmKm6bHcif1G1hHJcOm-SRYIK6_f4jiAFRH4Bw95dcbErunAJsxhI72jLEuGm9cifuIyxRWFjDcDDq5KS6Qvs8I359H_gXYjYUyTFAkTP90mgpNHVV8Z3jrIHCGGIWvB0Un7qC0mXt_09fuX7YA2PZXN5qeVfAhyOhEB1buIIEaRfTlzqIdECW_09bQXoCDO6srg3nzhiQ_UdGUveiBlG06VfVV6RgpMix_T7dBQIUKbD3xRk-hacWrpWfgMkE6hAi1DDA8Y3dFLJof4bX_gfAt4293u7EtEXN1SiiA0Y120IuwuG8Eo3DX0moFM292XtVE_9ZCgdesTvjseuk6yncjrKuvdpfDzh8BnT_oyQWRURv_WMp-KC7ju_4RxnMa3yx1K2pSC5Yn4aSMYCtihrzRRxd50AhVNJezn3YsOzzWJp9HKDYTV4r","Host":"localhost","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","Upgrade-Insecure-Requests":"1"},"body":[]},"response":{"protocol":"HTTP/1.1","status":0,"headers":{}},"audit_data":{"messages":["IPmatch: bad IPv4 specification \"\".","Rule processing failed."],"handler":"IIS","stopwatch":{"p1":499,"p2":12501,"p3":0,"p4":0,"p5":0,"sr":0,"sw":0,"l":0,"gc":0},"producer":["ModSecurity for IIS (STABLE)/2.9.1 (http://www.modsecurity.org/)","OWASP_CRS/2.2.9","OWASP_CRS/3.0.0"],"server":"ModSecurity Standalone","engine_mode":"DETECTION_ONLY"}}
{"transaction":{"time":"28/Mar/2017:15:39:04 +0200","transaction_id":"18158513699705323558","remote_address":"","remote_port":80,"local_address":"127.0.0.1","local_port":80},"request":{"request_line":"GET / HTTP/1.1","headers":{"Connection":"keep-alive","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Encoding":"gzip, deflate, sdch, br","Accept-Language":"sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4","Cookie":"__RequestVerificationToken_L1RyaWdnZXJmaXNoQ2hlY2tlcg2=5nsH5sCVPvlJkp2YTy6WfYQZaKVxA29eUNBnNIc_c_MvRN2mcbMzidOcQ08ZiVIzUSi66El47gpRMhUGSXQp80iesDfwrQBs9sHLf8fjIA01; .AspNet.ApplicationCookie=rURcshk7kll_zQlPMEBpFjDu3Pah-k__4WpYefzrps_Fe6IDVSzZwp2mRzhlYbSwcGv0f8mITnGmKm6bHcif1G1hHJcOm-SRYIK6_f4jiAFRH4Bw95dcbErunAJsxhI72jLEuGm9cifuIyxRWFjDcDDq5KS6Qvs8I359H_gXYjYUyTFAkTP90mgpNHVV8Z3jrIHCGGIWvB0Un7qC0mXt_09fuX7YA2PZXN5qeVfAhyOhEB1buIIEaRfTlzqIdECW_09bQXoCDO6srg3nzhiQ_UdGUveiBlG06VfVV6RgpMix_T7dBQIUKbD3xRk-hacWrpWfgMkE6hAi1DDA8Y3dFLJof4bX_gfAt4293u7EtEXN1SiiA0Y120IuwuG8Eo3DX0moFM292XtVE_9ZCgdesTvjseuk6yncjrKuvdpfDzh8BnT_oyQWRURv_WMp-KC7ju_4RxnMa3yx1K2pSC5Yn4aSMYCtihrzRRxd50AhVNJezn3YsOzzWJp9HKDYTV4r","Host":"localhost","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","Upgrade-Insecure-Requests":"1"}},"response":{"protocol":"HTTP/1.1","status":0,"headers":{}},"audit_data":{"messages":["IPmatch: bad IPv4 specification \"\".","Rule processing failed."],"handler":"IIS","stopwatch":{"p1":1003,"p2":20520,"p3":0,"p4":0,"p5":0,"sr":0,"sw":0,"l":0,"gc":0},"producer":["ModSecurity for IIS (STABLE)/2.9.1 (http://www.modsecurity.org/)","OWASP_CRS/2.2.9","OWASP_CRS/3.0.0"],"server":"ModSecurity Standalone","engine_mode":"DETECTION_ONLY"}}

它们不在列表中,也没有逗号分隔。

我现在让它工作的唯一方法是使用下面的方法。但是,当我使用此方法的结果时,此方法要求我的流是打开的,我认为这可能会由于关闭的流而在应用程序中造成一些麻烦。有没有更好的方法从文件中读取 json 对象流?

public IEnumerable<ModsecurityLogEntry> ReadAuditLog()
{
    string path = "C:\\inetpub\\logs\\modsec_audit.log";

    using (FileStream fileStream = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
    {
        using (StreamReader streamReader = new StreamReader(fileStream))
        {
            var serializer = new JsonSerializer();
            using (var jsonTextReader = new JsonTextReader(streamReader))
            {
                jsonTextReader.SupportMultipleContent = true;

                while (jsonTextReader.Read())
                {
                    yield return serializer.Deserialize<ModsecurityLogEntry>(jsonTextReader);
                }
            }
        }
    }
}
4

1 回答 1

0

像这样解决它,不是最漂亮的解决方案,但现在我不必担心封闭的流。如果日志文件变大,可能会出现问题,但会单独处理。

public IEnumerable<ModsecurityLogEntry> ReadAuditLog()
{
    var path = "C:\\inetpub\\logs\\modsec_audit.log";

    var list = new List<ModsecurityLogEntry>();

    using (FileStream fileStream = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
    {
        using (StreamReader streamReader = new StreamReader(fileStream))
        {
            var serializer = new JsonSerializer();
            using (var jsonTextReader = new JsonTextReader(streamReader))
            {
                jsonTextReader.SupportMultipleContent = true;

                while (jsonTextReader.Read())
                {
                    JObject obj = JObject.Load(jsonTextReader);
                    var logEntry = JsonConvert.DeserializeObject<ModsecurityLogEntry>(obj.ToString());
                    list.Add(logEntry);
                }
            }
        }
    }

    return list;

}
于 2017-03-28T14:24:54.357 回答