All Apps and Add-ons

ModSecurity not reading forwarded events?

ilasa01
Explorer

Hello,
My Splunk deployment includes a Linux server where ModSecurity 2.7.2 logs events in /opt/modsecurity/var/log/audit.log. This server sends data to another Splunk server via a syslog and forward. This works for standard Linux events but seems not working for ModSecurity.

The way how I configured the ModSecurity Splunk Server application is:

Data Input: /opt/modsecurity/var/log/audit.log

Set host: constant value

Host field value: modsecurity_server.domain.com

set source type: manual

Source Type: Linux_Mod_Security

Set the destination index: mod_security (this index was created in the modsecurity server)

Search Macros

modsec_index index="mod_security" (please note that a _ is missing from the original text)

modsec_src sourcetype="modsec_audit"

The Main Splunk server, which receives events from the remote forwarding shows the following Deployment Monitor error:

Sourcetype Status MB received MB received today

Linux_Maillog active 1.2 0.72

linux_audit active 2.4 1.7

Linux_Mod_Security missing 0.01

What it's wrong? Is there a mod_security missing source type in the server where logs are forwarded?

I would appreciate any help.

Thanks.

Regards

Salvo

Tags (2)

martin_splunk
New Member

Hi Salvo

It´s correct the Splunk for ModSecurity has only been tested with flat files, I uses this on a large enterprise environment and it works great.

I will check if there is possible to index events from ModSec mlogc in a future version of Splunk for ModSecurity.

0 Karma

ilasa01
Explorer

Thanks Martin. I switched to the ModSecurity flat file and I now see the events collected.

Salvo

0 Karma

ilasa01
Explorer

It has apparently no effect.
I have performed a different troubleshooting on Splunk 6 but still doesn't show any modsecurity events.

Details of how it's configured:

1) ModSecurity
It uses the collector "mlogc" configured with the following tokens
LogStorageDir "/var/modsecurity/var/audit"
The collector works and it created events in directory chunks as expected. Each directory has a modsecurity raw file.

2) Access Rights
access rights to /var/modsecurity/var/audit is apache.apache. Apache is the Web server user process owner. The splunk user owns the Splunk daemon and it's part of the apache group. Only the /opt/modsecurity/var/audit is owned by the apache group. The /opt/modsecurity/var access right is owned by the root group. So, if splunk needs access to traverse the entire path, then this might be a problem.

3) Splunk ModSecurity

the /usr/local/splunk/etc/apps/modsecurity/local/macros.conf includes

[modsec_src]

disabled = 0

definition = sourcetype="Linux_Mod_Security"

the /usr/local/splunk/etc/apps/modsecurity/default/macros.conf includes

[modsec_index]

definition = index="modsecurity"

iseval = 0

[modsec_src]

;definition = sourcetype="modsec_audit"

definition = sourcetype="Linux_Mod_Security"

iseval = 0

The Splunk index /usr/local/splunk/var/lib/splunk/modsecurity shows its correct structure but I see no indexes and it's empty.

Splunk ModSecurity was installed via Splunk applications installer, together with "aamap", "MAXMIND", "sideviewutils" , "GoogleMaps".

4) Splunk server

Indexes list confirms "modsecurity" index is empty or events collected "0":

Data Input /var/modsecurity/var/audit shows:

Set Host -----> Constant Value

Host Field Value -------> The Splunk server server.domain.com

Set the source type ----> Manual

Source Type -------> Linux_Mod_Security

index --------> modsecurity

Deployment Monitor

It doesn't show any errors in SourceType warnings.

Am I missing something? Is it possible that either Splunk or Splunk Modsecurity are not able to index events created by the ModSecurity mlogc collector and expect a single flat file instead (not recommended in a production environment)?

Thanks. Any assistance will be appreciated.
Salvo

0 Karma

martin_splunk
New Member

Hi

You need to update the macros conf so it´s consistent with the name of your sourcetype.

modsec_src sourcetype="Linux_Mod_Security"

0 Karma

juniorbsd
Engager

Hi,
I'm also facing the same issue, the "modsec_audit" sourcetype does not appear to be selected while setting up a "new data input" neither in the "configure receiving" option in the target forward-server, when i set this source type manually it accepts the configuration.
But i keep receiving garbage like: "\x00\x13__s2s_capabilities\x00\x00\x00\x00\x14ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00"
i also changed the tcp:12345 to splunktcp:12345 but no sucess til now.

Any help would be so much apreciated.

Thanks

J.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...