Collecting Modsecurity logs with Elasticsearch

ModSecurity is a web application firewall for the Apache web server. In addition to providing logging capabilities, ModSecurity can monitor HTTP traffic in real-time in order to detect attacks. ModSecurity also operates as an intrusion detection tool, allowing you to react to suspicious events that take place on your web systems.

This tutorial does not discuss the ModSecurity installation. Make sure you use OWASP ModSecurity Core Rule Set (CRS) and configure the log into a specific log file by configuring SecAuditLog section.

Start the configuration by configuring the filebeat on the web server. I write specific configuration in filebeat and give tags modsecurity to make it easier to logstash filter only the ModSecurity log.

- type: log
  enabled: true
  paths:
    - /var/log/httpd/modsec_audit.log
  fields:
    log_name: filebeat_modsec
  multiline.pattern: "^--[a-fA-F0-9]{8}-Z--$"
  multiline.negate: true
  multiline.match: before
  tags: ["modsecurity"]

In logstash, create a filter in logstash directory that point only log has tags modsecurity. I use & modify filter from bitsofinfo/logstash-modsecurity

Restart logstash after configuring the log and see the change in Kibana.

Leave a Comment

Your email address will not be published.