All Apps and Add-ons

ModSecurity not reading forwarded events?


My Splunk deployment includes a Linux server where ModSecurity 2.7.2 logs events in /opt/modsecurity/var/log/audit.log. This server sends data to another Splunk server via a syslog and forward. This works for standard Linux events but seems not working for ModSecurity.

The way how I configured the ModSecurity Splunk Server application is:

Data Input: /opt/modsecurity/var/log/audit.log

Set host: constant value

Host field value:

set source type: manual

Source Type: Linux_Mod_Security

Set the destination index: mod_security (this index was created in the modsecurity server)

Search Macros

modsec_index index="mod_security" (please note that a _ is missing from the original text)

modsec_src sourcetype="modsec_audit"

The Main Splunk server, which receives events from the remote forwarding shows the following Deployment Monitor error:

Sourcetype Status MB received MB received today

Linux_Maillog active 1.2 0.72

linux_audit active 2.4 1.7

Linux_Mod_Security missing 0.01

What it's wrong? Is there a mod_security missing source type in the server where logs are forwarded?

I would appreciate any help.




Tags (2)

New Member

Hi Salvo

It´s correct the Splunk for ModSecurity has only been tested with flat files, I uses this on a large enterprise environment and it works great.

I will check if there is possible to index events from ModSec mlogc in a future version of Splunk for ModSecurity.

0 Karma


Thanks Martin. I switched to the ModSecurity flat file and I now see the events collected.


0 Karma


It has apparently no effect.
I have performed a different troubleshooting on Splunk 6 but still doesn't show any modsecurity events.

Details of how it's configured:

1) ModSecurity
It uses the collector "mlogc" configured with the following tokens
LogStorageDir "/var/modsecurity/var/audit"
The collector works and it created events in directory chunks as expected. Each directory has a modsecurity raw file.

2) Access Rights
access rights to /var/modsecurity/var/audit is apache.apache. Apache is the Web server user process owner. The splunk user owns the Splunk daemon and it's part of the apache group. Only the /opt/modsecurity/var/audit is owned by the apache group. The /opt/modsecurity/var access right is owned by the root group. So, if splunk needs access to traverse the entire path, then this might be a problem.

3) Splunk ModSecurity

the /usr/local/splunk/etc/apps/modsecurity/local/macros.conf includes


disabled = 0

definition = sourcetype="Linux_Mod_Security"

the /usr/local/splunk/etc/apps/modsecurity/default/macros.conf includes


definition = index="modsecurity"

iseval = 0


;definition = sourcetype="modsec_audit"

definition = sourcetype="Linux_Mod_Security"

iseval = 0

The Splunk index /usr/local/splunk/var/lib/splunk/modsecurity shows its correct structure but I see no indexes and it's empty.

Splunk ModSecurity was installed via Splunk applications installer, together with "aamap", "MAXMIND", "sideviewutils" , "GoogleMaps".

4) Splunk server

Indexes list confirms "modsecurity" index is empty or events collected "0":

Data Input /var/modsecurity/var/audit shows:

Set Host -----> Constant Value

Host Field Value -------> The Splunk server

Set the source type ----> Manual

Source Type -------> Linux_Mod_Security

index --------> modsecurity

Deployment Monitor

It doesn't show any errors in SourceType warnings.

Am I missing something? Is it possible that either Splunk or Splunk Modsecurity are not able to index events created by the ModSecurity mlogc collector and expect a single flat file instead (not recommended in a production environment)?

Thanks. Any assistance will be appreciated.

0 Karma

New Member


You need to update the macros conf so it´s consistent with the name of your sourcetype.

modsec_src sourcetype="Linux_Mod_Security"

0 Karma


I'm also facing the same issue, the "modsec_audit" sourcetype does not appear to be selected while setting up a "new data input" neither in the "configure receiving" option in the target forward-server, when i set this source type manually it accepts the configuration.
But i keep receiving garbage like: "\x00\x13__s2s_capabilities\x00\x00\x00\x00\x14ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00"
i also changed the tcp:12345 to splunktcp:12345 but no sucess til now.

Any help would be so much apreciated.



0 Karma
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...