Background
In modern web environments, real-time visibility and automated responses are essential to maintaining secure operations. While many Web Application Firewalls (WAF) provide powerful protection, some advanced features—such as database access or real-time alert integrations—require extra configuration or external tools.
In this case study, we’ll walk through how to automate the operational pipeline for SafeLine WAF, including:
- Mapping PostgreSQL port access to extract real-time attack logs
- Writing a shell script to monitor the database for new events
- Converting WAF logs into syslog format
- Triggering alert notifications via DingTalk or other messengers
- Enabling full automation via systemd service on Linux
This guide is ideal for engineers seeking to enhance their detection and alerting capabilities without relying on paid platforms or third-party logging tools.
Step 1: Map SafeLine's PostgreSQL Port
#!/bin/bash
# Run the upgrade script
bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/upgrade.sh)"
cd /data/safeline || { echo "/data/safeline not found!"; exit 1; }
# Backup compose.yaml
if [ -f compose.yaml ]; then
echo "Backing up the current compose.yaml"
cp compose.yaml compose.yaml.bak
else
echo "compose.yaml not found in /data/safeline!"
exit 1
fi
# Check and append port mapping
if grep -q "5433:5432" compose.yaml; then
echo "PostgreSQL port mapping already exists."
else
sed -i '/container_name: safeline-pg/a\ ports:\n - 5433:5432' compose.yaml
echo "Port 5433 mapped to 5432."
fi
# Restart containers
docker compose down --remove-orphans && docker compose up -d
echo "Containers restarted with updated port config."
This script ensures the PostgreSQL port is exposed every time SafeLine is updated.
Step 2: Extract Alert Logs from the WAF
- Retrieve DB password:
cat /data/safeline/.env | grep POSTGRES_PASSWORD | tail -n 1 | awk -F '=' '{print $2}'
- Add credentials to
.pgpassand set permissions:
localhost:5433:safeline-ce:safeline-ce:your_db_password_here
chmod 600 /var/scripts/.pgpass
- Create a log extraction script:
#!/bin/bash
export PGPASSFILE=/var/scripts/.pgpass
PG_HOST="localhost"
PORT="5433"
DATABASE="safeline-ce"
USERNAME="safeline-ce"
HOSTNAME=$(hostname)
PROGRAM_NAME="safeline-ce"
LAST_ID=$(psql -h $PG_HOST -p $PORT -U $USERNAME -d $DATABASE -t -P footer=off -c "SELECT id FROM PUBLIC.MGT_DETECT_LOG_BASIC ORDER BY id DESC LIMIT 1")
while true; do
raw_log=$(psql -h $PG_HOST -p $PORT -U $USERNAME -d $DATABASE -t -P footer=off -c "SELECT TO_CHAR(to_timestamp(timestamp) AT TIME ZONE 'Asia/Shanghai', 'YYYY-MM-DD HH24:MI:SS'), CONCAT(PROVINCE, CITY), SRC_IP, CONCAT(HOST, ':', DST_PORT), url_path, rule_id, id FROM PUBLIC.MGT_DETECT_LOG_BASIC WHERE id > '$LAST_ID' ORDER BY id ASC LIMIT 1")
if [ -n "$raw_log" ]; then
ALERT_TIME=$(echo "$raw_log" | awk -F ' \| ' '{print $1}')
SRC_CITY=$(echo "$raw_log" | awk -F ' \| ' '{print $2}')
SRC_IP=$(echo "$raw_log" | awk -F ' \| ' '{print $3}')
DST_HOST=$(echo "$raw_log" | awk -F ' \| ' '{print $4}')
URL=$(echo "$raw_log" | awk -F ' \| ' '{print $5}')
RULE_ID=$(echo "$raw_log" | awk -F ' \| ' '{print $6}')
EVENT_ID=$(echo "$raw_log" | awk -F ' \| ' '{print $7}')
echo "$ALERT_TIME $HOSTNAME $PROGRAM_NAME: src_city:$SRC_CITY, src_ip:$SRC_IP, dst_host:$DST_HOST, url:$URL, rule_id:$RULE_ID, log_id:$EVENT_ID" >> /var/log/waf_alert/waf_alert.log
LAST_ID=$(($LAST_ID + 1))
fi
sleep 3
done
Install PostgreSQL client first:
apt install postgresql-client
Run it in the background:
nohup /var/scripts/waf_log.sh > /dev/null 2>&1 &
Step 3: Monitor Log Changes in Real-Time
Install inotify-tools:
apt update
apt install inotify-tools
Create a monitor script:
#!/bin/bash
LOG_FILE="/var/log/waf_alert/waf_alert.log"
COMMAND_TO_EXECUTE="/var/scripts/Log_Push_linux_amd64"
inotifywait -m -e modify "$LOG_FILE" | while read path action file; do
echo "Detected $action on $file. Executing command..."
$COMMAND_TO_EXECUTE
done
Run this script in the background or set it up to auto-start.
Step 4: Push Notifications via DingTalk
Use a custom Go app to send messages to DingTalk. (Source code to be shared in a future update.)
Step 5: Enable Auto Start with systemd
Create a service file:
[Unit]
Description=WAF Log Monitor Service
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash /var/scripts/waf_log.sh
ExecStartPost=/bin/bash /var/scripts/monitor.sh
Restart=on-failure
[Install]
WantedBy=multi-user.target
Reload and start the service:
systemctl daemon-reload
systemctl enable waf_monitor.service
systemctl start waf_monitor.service
Now, SafeLine WAF is running with automated alert extraction, log monitoring, and real-time alerting.
⚠️ Disclaimer: This tutorial is for educational purposes only. Do not use it for illegal activities. Make sure all actions comply with your local laws. You are solely responsible for any consequences of your operations.
Original Article: https://blog.csdn.net/weixin_61024818/article/details/142852991?sharetype=blogdetail&sharerId=142852991&sharerefer=PC&sharesource=weixin_61024818&spm=1011.2480.3001.8118
Top comments (1)
I used SafeLine WAF to automate web security by setting up real time threat detection alerts
and blocking rules making protection faster and hands-free.