From a112bd53a91ce2265dba3594de891872503836db Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 21 Nov 2025 16:04:52 -0500
Subject: [PATCH] Add HTTPS (SSL) log support for InterWorx - now includes
 transfer-ssl.log
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RESEARCH FINDINGS:
Consulted official InterWorx documentation to verify log paths:
https://appendix.interworx.com/current/nodeworx/general/other/log-file-locations.html

OFFICIAL InterWorx Log Structure:
- HTTP logs:  /home/{user}/var/{domain}/logs/transfer.log
- HTTPS logs: /home/{user}/var/{domain}/logs/transfer-ssl.log

PROBLEM:
Bot-analyzer was only looking for "transfer.log" and missing all HTTPS traffic.
This means SSL-enabled sites (which is most sites) were not being analyzed.

IMPACT:
- Missing analysis of HTTPS traffic
- Incomplete bot detection for SSL sites
- Underreporting of actual traffic and threats

FIX APPLIED:

Changed log search pattern from:
  log_search_name="transfer.log"
To:
  log_search_name="transfer*.log"

This now matches BOTH:
  - transfer.log (HTTP on port 80)
  - transfer-ssl.log (HTTPS on port 443)

CHANGES:
1. Line 308: Updated search pattern to "transfer*.log"
2. Line 304-306: Added official documentation reference in comments
3. Line 325: Updated extraction comment for accuracy
4. Line 1813-1818: Updated find commands to use "transfer*.log"

VERIFICATION:
✅ Syntax check passed
✅ Pattern matches both HTTP and HTTPS logs
✅ Domain extraction works for both log types (same path structure)
✅ All diagnostic features still work

DOCUMENTATION ADDED:
Added comment block with official InterWorx documentation URL
and explicit file paths for future reference:
```
# InterWorx: Official docs from https://appendix.interworx.com/...
# HTTP:  /home/{user}/var/{domain}/logs/transfer.log
# HTTPS: /home/{user}/var/{domain}/logs/transfer-ssl.log
```

RESULT:
Bot-analyzer now analyzes COMPLETE InterWorx traffic (HTTP + HTTPS)
instead of only HTTP traffic. Critical for accurate bot detection.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 modules/security/bot-analyzer.sh | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/modules/security/bot-analyzer.sh b/modules/security/bot-analyzer.sh
index d011c54..a061076 100755
--- a/modules/security/bot-analyzer.sh
+++ b/modules/security/bot-analyzer.sh
@@ -301,9 +301,11 @@ parse_logs() {
     local log_search_path
     local log_search_name
     if [ "$INTERWORX_MODE" = "yes" ]; then
-        # InterWorx: /home/user/var/domain.com/logs/transfer.log (VERIFIED: uses 'transfer.log' not 'access_log')
+        # InterWorx: Official docs from https://appendix.interworx.com/current/nodeworx/general/other/log-file-locations.html
+        # HTTP:  /home/{user}/var/{domain}/logs/transfer.log
+        # HTTPS: /home/{user}/var/{domain}/logs/transfer-ssl.log
         log_search_path="/home/*/var/*/logs"
-        log_search_name="transfer.log"
+        log_search_name="transfer*.log"
     else
         # cPanel/Plesk: /var/log/apache2/domlogs/domain.com
         log_search_path="$LOG_DIR"
@@ -320,7 +322,7 @@ parse_logs() {
 
         # Extract domain name based on control panel
         if [ "$INTERWORX_MODE" = "yes" ]; then
-            # InterWorx: extract from path /home/user/var/domain.com/logs/transfer.log
+            # InterWorx: extract from path /home/user/var/domain.com/logs/transfer*.log
             domain=$(echo "$logfile" | sed -n 's|^/home/.*/var/\([^/]*\)/logs/.*|\1|p')
         elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
             # Plesk: extract from path /var/www/vhosts/system/domain.com/logs/access_log
@@ -1808,12 +1810,12 @@ main() {
             find_opts+=(-mtime -"$DAYS_BACK")
         fi
 
-        # Find all transfer.log files in InterWorx structure
-        log_count=$(find /home/*/var/*/logs -type f -name "transfer.log" "${find_opts[@]}" 2>/dev/null | wc -l)
+        # Find all transfer*.log files in InterWorx structure (includes transfer.log and transfer-ssl.log)
+        log_count=$(find /home/*/var/*/logs -type f -name "transfer*.log" "${find_opts[@]}" 2>/dev/null | wc -l)
 
         if [ "$log_count" -eq 0 ]; then
             # Try without time filter to see if ANY logs exist
-            local total_logs=$(find /home/*/var/*/logs -type f -name "transfer.log" 2>/dev/null | wc -l)
+            local total_logs=$(find /home/*/var/*/logs -type f -name "transfer*.log" 2>/dev/null | wc -l)
 
             if [ "$total_logs" -eq 0 ]; then
                 print_alert "Error: No InterWorx access logs found in /home/*/var/*/logs/"