is provided as a Mod_Sec config reference. As this reference states, and as
we have experienced:
Concurrent : One file per transaction is used for audit logging.
This approach is more scalable when heavy logging is required
(multiple transactions can be recorded in parallel). It is also
the only choice if you need to use remote logging.
We currently have our monitor stanza configured to just ingest the per
transation audit files in the audit_log directory. This seems to be working,
but we are not clear if this is a supported or recommended approach. Are we
required to convert to Serial mode, or perhaps use ModSecurity Log Collector
(mlogc) or similar to send audit logs to a central repository? What is the
recommended approach to work with this TA in a large Mod_Sec deployment?
Btw, we also have the ModSecurity App for Splunk deployed on our search heads
to visualize the data.
I had tested concurrent logging 2-3 years back but I did not stick with it as the format was different - unfortunately I cannot not retrieve a sample for it - and the whole "multiple files and directories" made it look more complex at the time.
I have seen environment running OK with several ModSecurity servers.
But I am afraid I cannot be of a greater help regarding scaling.
I would suggest to:
try to stick with serial as the Add-on is only compatible with that mode for now;
monitor your ModSec logging
This article seems to mention message events that can indicate a logging latency.
if needed, try concurrent mode and send a sample to our email in the readme, I will check if I can adapt the Add-on.