All Apps and Add-ons

Modsecurity

asmar
New Member

I've added modsec_audit into my rsyslog server but splunk doesn't parse the file at all.
All other log files are parsing fine.

What is the procedure to load propely the content of that file into splunk?

I've installed & configured modsecurity, create its log file (mosec_audit) and double checked that is working fine (it writes ok into the log). Then I've added the file to my rsyslog.conf like:

. -/var/log/modsec_audit

and also got:

. @my-splunk-server-ip

but the modsec_audit log is not coming into the splunk server.

Any help is much appreciated.

Tags (1)
0 Karma

asmar
New Member

I can't understand why things need to be so complicated. All I need is to parse one more single file. I've searched many times but it doesn't have any modsecurity related logs under Splunk.
I've even modify modsecurity to write its logs under messages file which is parsed fine from Splunk and still showing everything apart from the modsecurity logs.
It needs to be done something into Splunk but have no clue what to parse that.
I've also installed modsecurity app but can't find/parse anything.

Is there a howto how to parse an extra file into Splunk?

Thanks

0 Karma

asmar
New Member

Hi Kristian,

Thanks for your reply. Regarding your questions:

a) I'm syslogging straight into a remote Splunk server
b) Yes
c) Yes, all common files like messages,mail.warn etc
d) Yes
e) Which of the inputs.conf you want?

/home/splunk/etc/apps/sample_app/default/inputs.conf
/home/splunk/etc/apps/SplunkDeploymentMonitor/local/inputs.conf
/home/splunk/etc/apps/SplunkLightForwarder/default/inputs.conf
/home/splunk/etc/apps/SplunkUniversalForwarder/default/inputs.conf
/home/splunk/etc/apps/unix/default.old.20101206-173730/inputs.conf
/home/splunk/etc/apps/unix/default.old.20110318-103823/inputs.conf
/home/splunk/etc/apps/unix/default.old.20110318-103823/inputs.conf.in
/home/splunk/etc/modules/distributedDeployment/classes/deployable/inputs.conf
/home/splunk/etc/system/default/inputs.conf
/home/splunk/etc/system/local/inputs.conf
/home/splunk/etc/system/README/inputs.conf.example
/home/splunk/etc/system/README/inputs.conf.spec

In case that you need the /home/splunk/etc/system/default/inputs.conf, its content is:

0 Karma

kristian_kolb
Ultra Champion

Updated questions above. /k

0 Karma

kristian_kolb
Ultra Champion

Sorry, I had to remove a little bit of text that did not format all that well. And also, it was a default-file, which should not be altered by you anyway.

I was mainly thinking about the inputs.conf which shows which port you are listening to. But since you have successfully transferred files in this manner, the problem is less likely to be found there.

Have to think a little bit about this. Also, here it's Sunday eveneing. /k

0 Karma

kristian_kolb
Ultra Champion

Didn't fully understand your rsyslog discussion (I'm not an rsyslog expert) - are you creating a log file (modsec_audit) in /var/log/ that you wish to send to the splunk server over syslog?

A few basic questions first;
a)are you syslogging straight into the remote Splunk server (which I presume) or are you using a forwarder?
b)Have you configured the splunk server listen on the correct port?
c)Have you (successfully) sent other files from this host to the splunk server in the same way?
d)Do you have permissions to read the file?
e)could you please provide the inputs.conf from the splunk server?


UPDATE:

How do you know that the bluecoat is not sending logs?

f) Have you tried to do a search over all time to find if timestamps gets correctly parsed, i.e. ending up somewhere else in time than you'd expect?
g) Have you tried to sniff the network traffic (with tools like WireShark or tcpdump) on the indexer (or source host) to see that the traffic is flowing.
h) Have you looked in the internal logs (splunkd, metrics) to see if there are any errors or warnings reported?


UPDATE2:
Well, I believe that the modsec app is for presenting data once it's already indexed by Splunk.
You didn't really give any answers to questions f), g) and h), but here are a few more anyway.

i) Have you searched all indexes, i.e. index=_* OR index=*
j) Do you have the right within Splunk to search all indexes

If all else fails, you should file a support case with a diag file.

/Kristian

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...