Collecting Modsecurity logs with Elasticsearch

ModSecurity is a web application firewall for the Apache web server. In addition to providing logging capabilities, ModSecurity can monitor HTTP traffic in real-time in order to detect attacks. ModSecurity also operates as an intrusion detection tool, allowing you to react to suspicious events that take place on your web systems.

This tutorial does not discuss the ModSecurity installation. Make sure you use OWASP ModSecurity Core Rule Set (CRS) and configure the log into a specific log file by configuring SecAuditLog section.

Start the configuration by configuring the filebeat on the web server. I write specific configuration in filebeat and give tags modsecurity to make it easier to logstash filter only the ModSecurity log.

- type: log
  enabled: true
  paths:
    - /var/log/httpd/modsec_audit.log
  fields:
    log_name: filebeat_modsec
  multiline.pattern: "^--[a-fA-F0-9]{8}-Z--$"
  multiline.negate: true
  multiline.match: before
  tags: ["modsecurity"]

In logstash, create a filter in logstash directory that point only log has tags modsecurity. I use & modify filter from bitsofinfo/logstash-modsecurity

Restart logstash after configuring the log and see the change in Kibana.

  1. Awesome post! Keep up the great work! 🙂

  2. Great content! Super high-quality! Keep it up! 🙂

  3. I configured my logstash exactly the same and It returns this exception
    “`[2020-02-21T11:02:21,031][ERROR][logstash.filters.ruby ][main] Ruby exception occurred: undefined method `/’ for nil:NilClass
    [2020-02-21T11:02:21,045][ERROR][logstash.filters.ruby ][main] Ruby exception occurred: undefined method `/’ for nil:NilClass
    [2020-02-21T11:02:21,049][ERROR][logstash.filters.ruby ][main] Ruby exception occurred: can’t convert nil into an exact number
    “`
    log form
    “`Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: —MeA3MRRM—A–
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: [21/Feb/2020:11:02:12 +0000] 158228293285.260841 183.91.2.200 45786 172.31.20.22 443
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: —MeA3MRRM—B–
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: GET /?testparam=test HTTP/1.1
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Host: lengochuy.cf
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Cookie: _ga=GA1.2.327771797.1561704022
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Accept-Language: en-US,en;q=0.5
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Accept-Encoding: gzip, deflate, br
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Connection: keep-alive
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Upgrade-Insecure-Requests: 1
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: —MeA3MRRM—D–
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: —MeA3MRRM—F–
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: HTTP/1.1 302
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Server: nginx/1.14.0
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Date: Fri, 21 Feb 2020 11:02:12 GMT
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: kbn-name: ip-172-31-20-22
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: Connection: keep-alive
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: cache-control: no-cache
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: location: /spaces/enter
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: kbn-license-sig: 3f20f60de0f02a250c8ef123f1977373b7998340d29862c8f96e15e378afa199
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: kbn-xpack-sig: aa55f2f6b5a89989c155328e4a2ba4a3
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: —MeA3MRRM—H–
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: ModSecurity: Warning. Matched “Operator `Contains’ with parameter `test’ against variable `ARGS:testparam’ (Value: `test’ ) [file “/etc/nginx/modsec/main.conf”] [line “8”] [id “1234”] [rev “”] [msg “”] [data “”] [severity “0”] [ver “”] [maturity “0”] [accuracy “0”] [hostname “172.31.20.22”] [uri “/”] [unique_id “158228293285.260841”] [ref “o0,4v16,4”]
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: —MeA3MRRM—I–
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: —MeA3MRRM—J–
    Feb 21 11:02:20 ip-172-31-20-22 logstash[3889]: —MeA3MRRM—Z–
    “`

Leave a Comment

Your email address will not be published.