Step‑by‑Step Guide to Install and Use WAF‑FLE for ModSecurity Log Management

ModSecurity is a powerful open‑source Web Application Firewall (WAF) originally built as an Apache module but now usable with Nginx. While it provides strong intrusion detection, its plain‑text log format makes analysis cumbersome.

WAF‑FLE is an open‑source PHP console designed to manage ModSecurity logs and events, allowing administrators to view, search, and analyze records through a web interface.

WAF‑FLE requires a LNMP/LAMP stack with the following components:

Apache or Nginx

PHP 5.3+ (including php‑pdo, php‑mysql, php‑apc, php‑geoip)

MySQL 5.1+

Install the MaxMind GeoIP database (download the .dat file from MaxMind) to enable IP location lookup.

Download WAF‑FLE from its GitHub repository, place the provided SQL and Apache configuration files from the

extra

directory into the appropriate locations, and adjust the Nginx configuration if needed.

During setup, disable the APC cache by setting

APC_ON=false

in

config.php

if the APC extension is unavailable.

After completing the web‑based installer, log in with the default credentials (admin/admin), then set a new username and password.

Create a sensor in the Management menu to receive logs, then configure an event receiver using the

mlog2waffle

method. Set the WAF‑FLE controller URL and enable real‑time queries via the service daemon.

Copy the provided

mlog2waffle

configuration files and start the daemon. Because Nginx blocks PUT requests by default, enable the DAV method to allow them.

Common issues and fixes:

Set

$CHECK_CERT="FALSE"

when using HTTP to avoid SSL handshake failures.

Disable the built‑in ModSecurity functions (

apache_getenv()

,

getallheaders()

,

apache_setenv()

) when running under Nginx, replacing them with equivalents that use

$_SERVER

.

Comment out the Apache‑specific code in

setup.php

and

index.php

that relies on

apache_setenv()

.

After adjusting these settings, start

mlog2waffle

. The daemon will send parsed events to WAF‑FLE via PUT requests, which you can verify in the Nginx access log.

Finally, customize the regular expression in

readIndex

to match your ModSecurity log format, ensuring proper parsing and event transmission.

With WAF‑FLE fully deployed, you have a functional solution for analyzing ModSecurity logs despite the project’s age.