Deploying WAF-FLE: A Step‑by‑Step Guide to Managing ModSecurity Logs

ModSecurity is a popular open‑source Web Application Firewall originally built as an Apache module but also usable with Nginx. While powerful, its plain‑text logs are hard to analyze, so the WAF‑FLE project provides a dedicated console for managing ModSecurity logs and events.

WAF‑FLE is a PHP‑based open‑source application that requires a LNMP/LAMP stack. After downloading the source from GitHub, you can use the provided

extra

directory for SQL scripts and web‑server configuration files.

Apache or Nginx

PHP 5.3+ (with php‑pdo, php‑mysql, php‑apc, php‑geoip)

MySQL 5.1+

Install the GeoIP library by downloading the

.dat

file from MaxMind and placing it where PHP can access it.

Copy the appropriate web‑server configuration from

extra

(Apache config for Apache, Nginx config for Nginx) and adjust

config.php

—for example, set

APC_ON=false

if the APC extension is unavailable.

Access the installation page via your domain, comment out the Apache‑specific check on line 499 of

setup.php

when using Nginx, and run the database creation wizard. After creation, the default credentials are

admin/admin

; set

$SETUP=false

in

config.php

and change the password.

In the WAF‑FLE UI, add a new sensor under the Management menu. Configure the event receiver to use

mlog2waffle

with the service daemon for real‑time queries. The required configuration files and startup scripts are also located in the

extra

directory.

Start

mlog2waffle

. Because Nginx blocks PUT requests by default, enable the DAV method in the Nginx configuration. Adjust the

$CHECK_CERT

and

$CHECK_CONNECTIVITY

flags as needed (disable SSL checks for HTTP, enable connectivity checks).

If Nginx returns a 409 error for PUT requests without a URI, either disable the check in the script or modify the Perl code to include a dummy URI.

Replace Apache‑specific functions (

apache_getenv()

,

getallheaders()

,

apache_setenv()

) with equivalents using

$_SERVER

and a custom

getallheaders()

implementation. Comment out the

apache_setenv()

call that sets

REMOTE_USER

.

After these modifications, restart

mlog2waffle

. The Nginx access log will show events being sent to WAF‑FLE via PUT. Adjust the regular expression in the

readIndex

method to match your own ModSecurity log format, then the

index.php

receiver will parse and display the events.

Despite being an older project, WAF‑FLE provides sufficient functionality for comprehensive ModSecurity log analysis.