Skip to main content

WAF ModSecurity Tutorial

This guide explains how to integrate SmartSezam with your Web Application Firewall (WAF) — such as ModSecurity — by parsing its audit logs and sending key events to SmartSezam in real time for risk analysis.

While this guide focuses on ModSecurity with NGINX, the same logic can be adapted to other WAFs or logging pipelines.

If you’re using a different setup, contact us — we’ll be happy to assist.

I - Technical Prerequisites

Before getting started, ensure that :

  • Your WAF (e.g. ModSecurity) is correctly installed and active

  • You have basic knowledge of NGINX configuration and Linux commands

  • Audit logging is enabled and logs are written to a known file, e.g.:

    /var/log/nginx-modsecurity/modsec_audit.log

  • The following variables prepared beforehand:

    • $instanceDomainName = The full domain of your SmartSezam instance
    • $apiKey = Your SmartSezam API key.

II - Installation and Configuration

1. Installing WAF Log Parsing Agent

The agent is provided by SmartSezam. Follow the installation instructions specific to your environment (Linux system, etc.).

2. Configure the Agent

You will need to specify :

  • The full path to your ModSecurity audit logs
  • Your SmartSezam instance domain name (i.e. $instanceDomainName)
  • Your API key (i.e. $apiKey)

3. Start the Agent

Once started, the agent will continuously monitor the log file, extract relevant security events, and forward them to your SmartSezam instance in real time.

III – Testing and Validation

Testing depends on the integration scenario:

  • In managed setups, SmartSezam will handle validation
  • In self-managed setups :
  1. Open the real-time activity view in your SmartSezam dashboard.
  2. Trigger a request that causes your WAF (e.g., ModSecurity) to log an event — for example, simulate a blocked request or an attack pattern (like an SQL injection or a malicious user-agent).
  3. Verify that the event appears in the dashboard with the expected context and risk analysis.

If no event appears :

  • Make sure your WAF is logging to the correct file
  • Ensure the agent is running and has access to the log
  • Confirm your SmartSezam instance ID and domain are correctly configured

Use tools like curl, burp suite, or browser dev tools to craft test requests that will trigger WAF rules.