Hi,
I've made a new installation of splunk with modsecurity app, the "modsec_audit" sourcetype does not appear to be selected while setting up a "new data input" neither in the "configure receiving" option in the target forward-server, when i set this source type manually it accepts the configuration.
But i keep receiving garbage like: "--splunk-cooked-mode-v3--__s2s_capabilitiesx00x00x00x00x14ack=0;compression=0x00x00x00x00x00x00x00x00x5_rawx00"
I also changed the tcp:12345 to splunktcp:12345 but no success til now.
Any help would be apreciated.
Thanks
J.
Hi
You need to update the macros conf so it´s consistent with the name of your sourcetype.