#!/usr/bin/perl
# Author: Peter R. Wood, http://prwdot.org/

use strict;

{

    # Set up some configuration variables
    local $/ = "========================================\n";
    my $audit_log        = "";
    my %blocking_actions = ();

    # Parse the file
    open( LOG, "$audit_log" ) || die "Couldn't open $audit_log: $!";
    while (<LOG>) {
        my ( $apache_data, $audit_data ) =
          split( /----------------------------------------\n/, $_ );
        my @audit_lines = split( /\n/, $audit_data );
        my ( $request_type, $request_uri, $request_protocol ) =
          split( /\s/, shift(@audit_lines) );
        my %this_audit = ();

        foreach my $audit_line (@audit_lines) {
            my ( $key, $value ) = split( /:\s/, $audit_line );
            $this_audit{$key} = $value;
        }
        $blocking_actions{ $this_audit{'mod_security-message'} }++;
    }
    close(LOG);

    # Report on the data
    foreach my $action (
        sort { $blocking_actions{$b} <=> $blocking_actions{$a} }
        keys(%blocking_actions)
      )
    {
        print "$action: " . $blocking_actions{$action} . "\n";
    }
}