All Apps and Add-ons

ModSecurity not reading logs correctly - question + answer

steve
Path Finder

I did not see an existing answer to the problem of the ModSecurity app not reading logs correctly. If ModSecurity (the Apache module) is configured to log concurrently instead of serially, the app will see the log file as a single line.

ModSecurity reference for the SecAuditLogType directive

Tags (1)

steve
Path Finder

I was able to get concurrent mode working as well, although I managed to do it without the Audit Console. I am using a universal forwarder on each ModSecurity server and Splunk's batch input method to continually read out of the top level log directory. This is nice as there are fewer moving parts and I no longer have to keep up with Audit Console releases or configurations.

I also have the issue of an exploding source list. If there is a way to clean those up or force the same source on all of them, please reply! 😉

0 Karma

macdock
New Member

You need to go into the inputs and change the source type to manual and type in mod sec_audit. That stopped all the thousands of source types for me.

0 Karma

steve
Path Finder

Looks like the source setting may be able to do this in inputs.conf, though it is recommended not to change it in the documentation.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf

0 Karma

amschroeder
Engager

Concurrent mode works just fine for me; however, my list of 'source' files is exploding. Under Search Summary -> Sources, each file (e.g. each alert) shows up as a different source.

Beyond that, it's not too bad. I actually have mlogc sending logs to an Audit Console server AND splunk indexing the data directory (where the concurrent logs are stored).

Just for reference, I'm using Splunk 4.3.3 and ModSecurity-App 1.3. No special configuration settings, beyond the changes to the Field aliases 'modsec_audt : FIELDALIAS-realip' (mentioned in the documentation to support non load balanced servers).

0 Karma

jrn77074
Engager

I have my modsec installations using serial mode, and am using the universal forwarder to feed the audit.log to Splunk. The source appears in the Splunk search but the ModSecurity app sees nothing. Yes, I have updated the source_type. What now?

martin_splunk
New Member

True, you need to use "Serial" mode in ModSecurity for now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...