Hello,
My Splunk deployment includes a Linux server where ModSecurity 2.7.2 logs events in /opt/modsecurity/var/log/audit.log. This server sends data to another Splunk server via a syslog and forward. This works for standard Linux events but seems not working for ModSecurity.
The way how I configured the ModSecurity Splunk Server application is:
Data Input: /opt/modsecurity/var/log/audit.log
Set host: constant value
Host field value: modsecurity_server.domain.com
set source type: manual
Source Type: Linux_Mod_Security
Set the destination index: mod_security (this index was created in the modsecurity server)
Search Macros
modsec_index index="mod_security" (please note that a _ is missing from the original text)
modsec_src sourcetype="modsec_audit"
The Main Splunk server, which receives events from the remote forwarding shows the following Deployment Monitor error:
Sourcetype Status MB received MB received today
Linux_Maillog active 1.2 0.72
linux_audit active 2.4 1.7
Linux_Mod_Security missing 0.01
What it's wrong? Is there a mod_security missing source type in the server where logs are forwarded?
I would appreciate any help.
Thanks.
Regards
Salvo
Hi Salvo
It´s correct the Splunk for ModSecurity has only been tested with flat files, I uses this on a large enterprise environment and it works great.
I will check if there is possible to index events from ModSec mlogc in a future version of Splunk for ModSecurity.
Thanks Martin. I switched to the ModSecurity flat file and I now see the events collected.
Salvo
It has apparently no effect.
I have performed a different troubleshooting on Splunk 6 but still doesn't show any modsecurity events.
Details of how it's configured:
1) ModSecurity
It uses the collector "mlogc" configured with the following tokens
LogStorageDir "/var/modsecurity/var/audit"
The collector works and it created events in directory chunks as expected. Each directory has a modsecurity raw file.
2) Access Rights
access rights to /var/modsecurity/var/audit is apache.apache. Apache is the Web server user process owner. The splunk user owns the Splunk daemon and it's part of the apache group. Only the /opt/modsecurity/var/audit is owned by the apache group. The /opt/modsecurity/var access right is owned by the root group. So, if splunk needs access to traverse the entire path, then this might be a problem.
3) Splunk ModSecurity
the /usr/local/splunk/etc/apps/modsecurity/local/macros.conf includes
[modsec_src]
disabled = 0
definition = sourcetype="Linux_Mod_Security"
the /usr/local/splunk/etc/apps/modsecurity/default/macros.conf includes
[modsec_index]
definition = index="modsecurity"
iseval = 0
[modsec_src]
;definition = sourcetype="modsec_audit"
definition = sourcetype="Linux_Mod_Security"
iseval = 0
The Splunk index /usr/local/splunk/var/lib/splunk/modsecurity shows its correct structure but I see no indexes and it's empty.
Splunk ModSecurity was installed via Splunk applications installer, together with "aamap", "MAXMIND", "sideviewutils" , "GoogleMaps".
4) Splunk server
Indexes list confirms "modsecurity" index is empty or events collected "0":
Data Input /var/modsecurity/var/audit shows:
Set Host -----> Constant Value
Host Field Value -------> The Splunk server server.domain.com
Set the source type ----> Manual
Source Type -------> Linux_Mod_Security
index --------> modsecurity
Deployment Monitor
It doesn't show any errors in SourceType warnings.
Am I missing something? Is it possible that either Splunk or Splunk Modsecurity are not able to index events created by the ModSecurity mlogc collector and expect a single flat file instead (not recommended in a production environment)?
Thanks. Any assistance will be appreciated.
Salvo
Hi
You need to update the macros conf so it´s consistent with the name of your sourcetype.
modsec_src sourcetype="Linux_Mod_Security"
Hi,
I'm also facing the same issue, the "modsec_audit" sourcetype does not appear to be selected while setting up a "new data input" neither in the "configure receiving" option in the target forward-server, when i set this source type manually it accepts the configuration.
But i keep receiving garbage like: "\x00\x13__s2s_capabilities\x00\x00\x00\x00\x14ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00"
i also changed the tcp:12345 to splunktcp:12345 but no sucess til now.
Any help would be so much apreciated.
Thanks
J.