All Apps and Add-ons

ModSecurity Add-on for Splunk: is only "SecAuditLogType Serial" supported?

Observer

Hello!

We have been using Mod_Sec for awhile in a large Apache reverse proxy
environment with:

SecAuditLogType Concurrent

We have now deployed the ModSecurity Add-on for Splunk in our test
environment to ingest these logs (https://splunkbase.splunk.com/app/3391/).
However it is unclear if we are expected to convert to:

SecAuditLogType Serial

The docs for the TA seem to only imply Serial mode, but neither mode is
ever referenced specifically. Only a link to:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secauditengine

is provided as a Mod_Sec config reference. As this reference states, and as
we have experienced:

    Concurrent : One file per transaction is used for audit logging.
    This approach is more scalable when heavy logging is required
    (multiple transactions can be recorded in parallel). It is also
    the only choice if you need to use remote logging.

We currently have our monitor stanza configured to just ingest the per
transation audit files in the audit_log directory. This seems to be working,
but we are not clear if this is a supported or recommended approach. Are we
required to convert to Serial mode, or perhaps use ModSecurity Log Collector
(mlogc) or similar to send audit logs to a central repository? What is the
recommended approach to work with this TA in a large Mod_Sec deployment?
Btw, we also have the ModSecurity App for Splunk deployed on our search heads
to visualize the data.

Thanks for your time!
-pat.

0 Karma

Path Finder

Hello nethead,

Thanks for using the Add-on & the App.

Serial logging mode is implied indeed.

The Add-on is not yet compatible with concurrent mode as it uses another format.

Pros & Cons of both modes are being detailed here in "Concurrent Audit Log" section.

I had tested concurrent logging 2-3 years back but I did not stick with it as the format was different - unfortunately I cannot not retrieve a sample for it - and the whole "multiple files and directories" made it look more complex at the time.

I have seen environment running OK with several ModSecurity servers.

But I am afraid I cannot be of a greater help regarding scaling.

I would suggest to:

  • try to stick with serial as the Add-on is only compatible with that mode for now;

  • monitor your ModSec logging

This article seems to mention message events that can indicate a logging latency.

  • if needed, try concurrent mode and send a sample to our email in the readme, I will check if I can adapt the Add-on.

Best regards,

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!