All Apps and Add-ons

ModSecurity not reading forwarded events?


My Splunk deployment includes a Linux server where ModSecurity 2.7.2 logs events in /opt/modsecurity/var/log/audit.log. This server sends data to another Splunk server via a syslog and forward. This works for standard Linux events but seems not working for ModSecurity.

The way how I configured the ModSecurity Splunk Server application is:

Data Input: /opt/modsecurity/var/log/audit.log

Set host: constant value

Host field value:

set source type: manual

Source Type: Linux_Mod_Security

Set the destination index: mod_security (this index was created in the modsecurity server)

Search Macros

modsec_index index="mod_security" (please note that a _ is missing from the original text)

modsec_src sourcetype="modsec_audit"

The Main Splunk server, which receives events from the remote forwarding shows the following Deployment Monitor error:

Sourcetype Status MB received MB received today

Linux_Maillog active 1.2 0.72

linux_audit active 2.4 1.7

Linux_Mod_Security missing 0.01

What it's wrong? Is there a mod_security missing source type in the server where logs are forwarded?

I would appreciate any help.




Tags (2)

New Member

Hi Salvo

It´s correct the Splunk for ModSecurity has only been tested with flat files, I uses this on a large enterprise environment and it works great.

I will check if there is possible to index events from ModSec mlogc in a future version of Splunk for ModSecurity.

0 Karma


Thanks Martin. I switched to the ModSecurity flat file and I now see the events collected.


0 Karma


It has apparently no effect.
I have performed a different troubleshooting on Splunk 6 but still doesn't show any modsecurity events.

Details of how it's configured:

1) ModSecurity
It uses the collector "mlogc" configured with the following tokens
LogStorageDir "/var/modsecurity/var/audit"
The collector works and it created events in directory chunks as expected. Each directory has a modsecurity raw file.

2) Access Rights
access rights to /var/modsecurity/var/audit is apache.apache. Apache is the Web server user process owner. The splunk user owns the Splunk daemon and it's part of the apache group. Only the /opt/modsecurity/var/audit is owned by the apache group. The /opt/modsecurity/var access right is owned by the root group. So, if splunk needs access to traverse the entire path, then this might be a problem.

3) Splunk ModSecurity

the /usr/local/splunk/etc/apps/modsecurity/local/macros.conf includes


disabled = 0

definition = sourcetype="Linux_Mod_Security"

the /usr/local/splunk/etc/apps/modsecurity/default/macros.conf includes


definition = index="modsecurity"

iseval = 0


;definition = sourcetype="modsec_audit"

definition = sourcetype="Linux_Mod_Security"

iseval = 0

The Splunk index /usr/local/splunk/var/lib/splunk/modsecurity shows its correct structure but I see no indexes and it's empty.

Splunk ModSecurity was installed via Splunk applications installer, together with "aamap", "MAXMIND", "sideviewutils" , "GoogleMaps".

4) Splunk server

Indexes list confirms "modsecurity" index is empty or events collected "0":

Data Input /var/modsecurity/var/audit shows:

Set Host -----> Constant Value

Host Field Value -------> The Splunk server

Set the source type ----> Manual

Source Type -------> Linux_Mod_Security

index --------> modsecurity

Deployment Monitor

It doesn't show any errors in SourceType warnings.

Am I missing something? Is it possible that either Splunk or Splunk Modsecurity are not able to index events created by the ModSecurity mlogc collector and expect a single flat file instead (not recommended in a production environment)?

Thanks. Any assistance will be appreciated.

0 Karma

New Member


You need to update the macros conf so it´s consistent with the name of your sourcetype.

modsec_src sourcetype="Linux_Mod_Security"

0 Karma


I'm also facing the same issue, the "modsec_audit" sourcetype does not appear to be selected while setting up a "new data input" neither in the "configure receiving" option in the target forward-server, when i set this source type manually it accepts the configuration.
But i keep receiving garbage like: "\x00\x13__s2s_capabilities\x00\x00\x00\x00\x14ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00"
i also changed the tcp:12345 to splunktcp:12345 but no sucess til now.

Any help would be so much apreciated.



0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...