Deploying WAF-FLE: A Step‑by‑Step Guide to Managing ModSecurity Logs

ModSecurity is a popular open‑source Web Application Firewall originally built as an Apache module but also usable with Nginx. While powerful, its plain‑text logs are hard to analyze, so the WAF‑FLE project provides a dedicated console for managing ModSecurity logs and events.

WAF‑FLE is a PHP‑based open‑source application that requires a LNMP/LAMP stack. After downloading the source from GitHub, you can use the provided extra directory for SQL scripts and web‑server configuration files.

Apache or Nginx

PHP 5.3+ (with php‑pdo, php‑mysql, php‑apc, php‑geoip)

MySQL 5.1+

Install the GeoIP library by downloading the .dat file from MaxMind and placing it where PHP can access it.

Copy the appropriate web‑server configuration from extra (Apache config for Apache, Nginx config for Nginx) and adjust config.php —for example, set APC_ON=false if the APC extension is unavailable.

Access the installation page via your domain, comment out the Apache‑specific check on line 499 of setup.php when using Nginx, and run the database creation wizard. After creation, the default credentials are admin/admin; set $SETUP=false in config.php and change the password.

In the WAF‑FLE UI, add a new sensor under the Management menu. Configure the event receiver to use mlog2waffle with the service daemon for real‑time queries. The required configuration files and startup scripts are also located in the extra directory.

Start mlog2waffle. Because Nginx blocks PUT requests by default, enable the DAV method in the Nginx configuration. Adjust the $CHECK_CERT and $CHECK_CONNECTIVITY flags as needed (disable SSL checks for HTTP, enable connectivity checks).

If Nginx returns a 409 error for PUT requests without a URI, either disable the check in the script or modify the Perl code to include a dummy URI.

Replace Apache‑specific functions ( apache_getenv(), getallheaders(), apache_setenv()) with equivalents using $_SERVER and a custom getallheaders() implementation. Comment out the apache_setenv() call that sets REMOTE_USER.

After these modifications, restart mlog2waffle. The Nginx access log will show events being sent to WAF‑FLE via PUT. Adjust the regular expression in the readIndex method to match your own ModSecurity log format, then the index.php receiver will parse and display the events.

Despite being an older project, WAF‑FLE provides sufficient functionality for comprehensive ModSecurity log analysis.