All Apps and Add-ons

ModSecurity not reading forwarded events?

ilasa01
Explorer

Hello,
My Splunk deployment includes a Linux server where ModSecurity 2.7.2 logs events in /opt/modsecurity/var/log/audit.log. This server sends data to another Splunk server via a syslog and forward. This works for standard Linux events but seems not working for ModSecurity.

The way how I configured the ModSecurity Splunk Server application is:

Data Input: /opt/modsecurity/var/log/audit.log

Set host: constant value

Host field value: modsecurity_server.domain.com

set source type: manual

Source Type: Linux_Mod_Security

Set the destination index: mod_security (this index was created in the modsecurity server)

Search Macros

modsec_index index="mod_security" (please note that a _ is missing from the original text)

modsec_src sourcetype="modsec_audit"

The Main Splunk server, which receives events from the remote forwarding shows the following Deployment Monitor error:

Sourcetype Status MB received MB received today

Linux_Maillog active 1.2 0.72

linux_audit active 2.4 1.7

Linux_Mod_Security missing 0.01

What it's wrong? Is there a mod_security missing source type in the server where logs are forwarded?

I would appreciate any help.

Thanks.

Regards

Salvo

Tags (2)

martin_splunk
New Member

Hi Salvo

It´s correct the Splunk for ModSecurity has only been tested with flat files, I uses this on a large enterprise environment and it works great.

I will check if there is possible to index events from ModSec mlogc in a future version of Splunk for ModSecurity.

0 Karma

ilasa01
Explorer

Thanks Martin. I switched to the ModSecurity flat file and I now see the events collected.

Salvo

0 Karma

ilasa01
Explorer

It has apparently no effect.
I have performed a different troubleshooting on Splunk 6 but still doesn't show any modsecurity events.

Details of how it's configured:

1) ModSecurity
It uses the collector "mlogc" configured with the following tokens
LogStorageDir "/var/modsecurity/var/audit"
The collector works and it created events in directory chunks as expected. Each directory has a modsecurity raw file.

2) Access Rights
access rights to /var/modsecurity/var/audit is apache.apache. Apache is the Web server user process owner. The splunk user owns the Splunk daemon and it's part of the apache group. Only the /opt/modsecurity/var/audit is owned by the apache group. The /opt/modsecurity/var access right is owned by the root group. So, if splunk needs access to traverse the entire path, then this might be a problem.

3) Splunk ModSecurity

the /usr/local/splunk/etc/apps/modsecurity/local/macros.conf includes

[modsec_src]

disabled = 0

definition = sourcetype="Linux_Mod_Security"

the /usr/local/splunk/etc/apps/modsecurity/default/macros.conf includes

[modsec_index]

definition = index="modsecurity"

iseval = 0

[modsec_src]

;definition = sourcetype="modsec_audit"

definition = sourcetype="Linux_Mod_Security"

iseval = 0

The Splunk index /usr/local/splunk/var/lib/splunk/modsecurity shows its correct structure but I see no indexes and it's empty.

Splunk ModSecurity was installed via Splunk applications installer, together with "aamap", "MAXMIND", "sideviewutils" , "GoogleMaps".

4) Splunk server

Indexes list confirms "modsecurity" index is empty or events collected "0":

Data Input /var/modsecurity/var/audit shows:

Set Host -----> Constant Value

Host Field Value -------> The Splunk server server.domain.com

Set the source type ----> Manual

Source Type -------> Linux_Mod_Security

index --------> modsecurity

Deployment Monitor

It doesn't show any errors in SourceType warnings.

Am I missing something? Is it possible that either Splunk or Splunk Modsecurity are not able to index events created by the ModSecurity mlogc collector and expect a single flat file instead (not recommended in a production environment)?

Thanks. Any assistance will be appreciated.
Salvo

0 Karma

martin_splunk
New Member

Hi

You need to update the macros conf so it´s consistent with the name of your sourcetype.

modsec_src sourcetype="Linux_Mod_Security"

0 Karma

juniorbsd
Engager

Hi,
I'm also facing the same issue, the "modsec_audit" sourcetype does not appear to be selected while setting up a "new data input" neither in the "configure receiving" option in the target forward-server, when i set this source type manually it accepts the configuration.
But i keep receiving garbage like: "\x00\x13__s2s_capabilities\x00\x00\x00\x00\x14ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00"
i also changed the tcp:12345 to splunktcp:12345 but no sucess til now.

Any help would be so much apreciated.

Thanks

J.

0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...