I have splunk using the local mod sec audit folder ( containing concurrent logs ) and I am able to search through the entries alright, but I am not seeing results or charts for any of the predefined stuff. I am using ModSec 2.7
Also there are literally thousands of sources ( and growing ) is this a bad thing?
Did you look to see what that 500 internal server was in your httpd error_log ?
splunk will only let me choose a file, not a directory for the data source.
I've tried waf-fle but I get a 500 error when trying to send the log messages with mlogc
i figured out the issue and was able to use waf-fle. Why do you think it's better? I can't drill down the reports to find all the paths requested. It would seem splunk has more sophisticated filters
there's no error being logged.
Did you look to see what that 500 internal server was in your httpd error_log ?
I just specified the data folder as the data source, the ms app did the rest. I am using waf-fle now though, works much better. http://www.waf-fle.org
how were you able to get splunk to use the concurrent logs?