04-EVENTS.conf

# Log relevant events

SecRule tx:wprs_log_authentications "@eq 0" "phase:1,id:22110001,nolog,pass,\
  skipAfter:END_WPRS_LOG_AUTH"

SecMarker BEGIN_WPRS_LOG_AUTH

SecRule &RESPONSE_HEADERS:Set-Cookie "@gt 1" "phase:3,id:22110011,nolog,chain,pass"
  SecRule RESPONSE_HEADERS:Location "@rx .*admin.*" "id:22110011,t:lowercase,nolog,chain"
    SecRule REQUEST_METHOD "^POST$" "id:22110011,t:uppercase,nolog,chain"
      SecRule REQUEST_FILENAME "^/wp\-login\.php" "id:22110011,t:lowercase,\
        log,\
        rev:'1',\
        severity:'6',\
        maturity:'9',\
        accuracy:'9',\
        ver:'%{tx.wprs_version}',\
        tag:'wordpress',\
        tag:'login',\
        logdata:'Username: %{ARGS_POST:log}',\
        msg:'WordPress: User logged in'"


# logout:
# - /wp-login.php?action=logout
# - res 302 Found
# - Location: wp-login.php?loggedout=true

SecRule RESPONSE_STATUS "@eq 302" "phase:3,id:22110013,nolog,chain,pass"
  SecRule RESPONSE_HEADERS:Location "@rx wp\-login\.php\?loggedout\=true" "id:22110013,t:lowercase,nolog,chain"
    SecRule ARGS:action "^logout$" "id:22110013,t:lowercase,nolog,chain"
      SecRule REQUEST_FILENAME "^/wp\-login\.php" "id:22110013,t:lowercase,\
        log,\
        rev:'1',\
        severity:'6',\
        maturity:'9',\
        accuracy:'9',\
        ver:'%{tx.wprs_version}',\
        tag:'wordpress',\
        tag:'logout',\
        msg:'WordPress: User logged out'"

SecRule &RESPONSE_HEADERS:Set-Cookie "@eq 1" "phase:3,id:22110014,nolog,chain,pass"
  SecRule &RESPONSE_HEADERS:Location "@eq 0" "id:22110014,nolog,chain"
    SecRule REQUEST_METHOD "^POST$" "id:22110014,t:uppercase,nolog,chain"
      SecRule &ARGS_POST_NAMES:log "@ge 1" "id:22110014,t:lowercase,nolog,chain"
        SecRule &ARGS_POST_NAMES:pwd "@ge 1" "id:22110014,t:lowercase,nolog,chain"
          SecRule REQUEST_FILENAME "^/wp\-login\.php" "id:22110014,t:lowercase,\
            log,\
            rev:'1',\
            severity:'6',\
            maturity:'9',\
            accuracy:'9',\
            ver:'%{tx.wprs_version}',\
            tag:'wordpress',\
            tag:'login',\
            tag:'failed',\
            logdata:'Login failed with username: %{ARGS_POST:log}',\
            msg:'WordPress: Login failed'"

SecMarker END_WPRS_LOG_AUTH