- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- ModSecurity not reading forwarded events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ModSecurity not reading forwarded events?
Hello,
My Splunk deployment includes a Linux server where ModSecurity 2.7.2 logs events in /opt/modsecurity/var/log/audit.log. This server sends data to another Splunk server via a syslog and forward. This works for standard Linux events but seems not working for ModSecurity.
The way how I configured the ModSecurity Splunk Server application is:
Data Input: /opt/modsecurity/var/log/audit.log
Set host: constant value
Host field value: modsecurity_server.domain.com
set source type: manual
Source Type: Linux_Mod_Security
Set the destination index: mod_security (this index was created in the modsecurity server)
Search Macros
modsec_index index="mod_security" (please note that a _ is missing from the original text)
modsec_src sourcetype="modsec_audit"
The Main Splunk server, which receives events from the remote forwarding shows the following Deployment Monitor error:
Sourcetype Status MB received MB received today
Linux_Maillog active 1.2 0.72
linux_audit active 2.4 1.7
Linux_Mod_Security missing 0.01
What it's wrong? Is there a mod_security missing source type in the server where logs are forwarded?
I would appreciate any help.
Thanks.
Regards
Salvo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Salvo
It´s correct the Splunk for ModSecurity has only been tested with flat files, I uses this on a large enterprise environment and it works great.
I will check if there is possible to index events from ModSec mlogc in a future version of Splunk for ModSecurity.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Martin. I switched to the ModSecurity flat file and I now see the events collected.
Salvo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It has apparently no effect.
I have performed a different troubleshooting on Splunk 6 but still doesn't show any modsecurity events.
Details of how it's configured:
1) ModSecurity
It uses the collector "mlogc" configured with the following tokens
LogStorageDir "/var/modsecurity/var/audit"
The collector works and it created events in directory chunks as expected. Each directory has a modsecurity raw file.
2) Access Rights
access rights to /var/modsecurity/var/audit is apache.apache. Apache is the Web server user process owner. The splunk user owns the Splunk daemon and it's part of the apache group. Only the /opt/modsecurity/var/audit is owned by the apache group. The /opt/modsecurity/var access right is owned by the root group. So, if splunk needs access to traverse the entire path, then this might be a problem.
3) Splunk ModSecurity
the /usr/local/splunk/etc/apps/modsecurity/local/macros.conf includes
[modsec_src]
disabled = 0
definition = sourcetype="Linux_Mod_Security"
the /usr/local/splunk/etc/apps/modsecurity/default/macros.conf includes
[modsec_index]
definition = index="modsecurity"
iseval = 0
[modsec_src]
;definition = sourcetype="modsec_audit"
definition = sourcetype="Linux_Mod_Security"
iseval = 0
The Splunk index /usr/local/splunk/var/lib/splunk/modsecurity shows its correct structure but I see no indexes and it's empty.
Splunk ModSecurity was installed via Splunk applications installer, together with "aamap", "MAXMIND", "sideviewutils" , "GoogleMaps".
4) Splunk server
Indexes list confirms "modsecurity" index is empty or events collected "0":
Data Input /var/modsecurity/var/audit shows:
Set Host -----> Constant Value
Host Field Value -------> The Splunk server server.domain.com
Set the source type ----> Manual
Source Type -------> Linux_Mod_Security
index --------> modsecurity
Deployment Monitor
It doesn't show any errors in SourceType warnings.
Am I missing something? Is it possible that either Splunk or Splunk Modsecurity are not able to index events created by the ModSecurity mlogc collector and expect a single flat file instead (not recommended in a production environment)?
Thanks. Any assistance will be appreciated.
Salvo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
You need to update the macros conf so it´s consistent with the name of your sourcetype.
modsec_src sourcetype="Linux_Mod_Security"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm also facing the same issue, the "modsec_audit" sourcetype does not appear to be selected while setting up a "new data input" neither in the "configure receiving" option in the target forward-server, when i set this source type manually it accepts the configuration.
But i keep receiving garbage like: "\x00\x13__s2s_capabilities\x00\x00\x00\x00\x14ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00"
i also changed the tcp:12345 to splunktcp:12345 but no sucess til now.
Any help would be so much apreciated.
Thanks
J.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
