From 91a53379e8c9cf789cf6d532378ca2113dc46e7c Mon Sep 17 00:00:00 2001 From: bitsofinfo Date: Wed, 6 Nov 2013 16:20:25 -0700 Subject: [PATCH] modsecurity recipe --- index.md | 6 +++- recipes/modsecurity-audit-logs/index.md | 37 +++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 recipes/modsecurity-audit-logs/index.md diff --git a/index.md b/index.md index c9cde9b..01216f0 100644 --- a/index.md +++ b/index.md @@ -62,7 +62,7 @@ Remove the color codes from Linux logs Config snippets collected and provided by users ## [Puppet modules](recipes/puppet-modules/) - + Different puppet modules for Logstash and other software ## [Chef cookbooks](recipes/chef-cookbook/) @@ -90,6 +90,10 @@ Sample configuration for parsing syslog messages from a Cisco ASA firewall An introductory LogStash book. +## [ModSecurity audit logs](recipes/modsecurity-audit-logs/) + +Need to ingest ModSecurity audit logs? Logstash can do that. + ### Contribute! This cookbook is for and by the logstash community. You can help! Click the diff --git a/recipes/modsecurity-audit-logs/index.md b/recipes/modsecurity-audit-logs/index.md new file mode 100644 index 0000000..bfa88dc --- /dev/null +++ b/recipes/modsecurity-audit-logs/index.md @@ -0,0 +1,37 @@ +--- +layout: article +title: Ingesting ModSecurity audit logs +tags: modsecurity security apache +--- + +* Goal: Create an event for each entry in a ModSecurity audit log +* Audience: Anyone who needs to make sense of ModSecurity audit logs + +# Overview + +ModSecurity is a great tool that many folks use to secure applications and it can +log quite a bit of information that is can useful for forensic analysis of an attack or +other security related investigation. The unique thing about [ModSecurity's audit log file format](https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats) +is that it can be quite complex. If you are reading this then you likely are already familiar +with this format, but just in case, [here is an example of an audit log](http://www.atomicorp.com/wiki/index.php/Modsecurity_audit_log). + +The biggest challenge with ingesting "entries" from a ModSecurity audit log file is first off +it spans multiple lines, secondly each entry can have a varying number of "parts" and third that +each "part" itself can have a varying number of sub-parts. To parse this file format this please refer +to the links below which provides a working Logstash configuration file that takes advantage +of various logstash filters such as multiline, custom ruby code blocks, geoip and grok etc. to take a raw audit log entry +and convert it into a first class Logstash "event" with all the important stuff promoted to first class +fields with typing when appropriate. [This configuration file](https://github.com/bitsofinfo/logstash-modsecurity) has been used +to import tens of thousands of audit log entries daily and hopefully will serve as a good starting +point for anyone who has to deal with this complex log format. + +This has been tested on Logstash v1.2.1 and v1.2.2 + +# Config file + +* [Logstash ModSecurity audit log format sample config file](https://github.com/bitsofinfo/logstash-modsecurity) + +# Related information + +* [Sample Logstash event as JSON, after running through this configuration](http://bitsofinfo.wordpress.com/2013/09/19/logstash-for-modsecurity-audit-logs/) +* [ModSecurity audit log file format info](https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats) \ No newline at end of file