All Apps and Add-ons

Why is this event splitting into three single events

kochera
Communicator

Hi,

Our raw events from mod_security logfile are split into three different events.
I've tried multiple settings in props.conf without success.
Current config is:

[modsec:audit]
SHOULD_LINEMERGE = false
TRUNCATE = 0
NO_BINARY_CHECK = true
#LINE_BREAKER = (\-{2,3}[a-zA-Z0-9]{8}\-{1,3}Z\-{2}([\r\n]+)\-{2,3}[a-zA-Z0-9]{8}\-{1,3}A\-{2})
LINE_BREAKER = ([\r\n]+)(\-{2,3}[a-zA-Z0-9]{8}\-{1,3}A\-{2})
MAX_TIMESTAMP_LOOKAHEAD = 32
MAX_EVENTS = 1024
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none

Cheers,
Andy

0 Karma
1 Solution

kochera
Communicator

problem solved. I put part of the the props.conf

[modsec:audit]
SHOULD_LINEMERGE = false
TRUNCATE = 99999
LINE_BREAKER = -{2,3}[a-zA-Z0-9]{8}-{1,3}Z-{2}([\r\n]+)-{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}
TIME_PREFIX = -{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}\n[
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none

directly on the heavyforwarders and keep the other part of the configuration in the TA on the indexers.

View solution in original post

0 Karma

kochera
Communicator

problem solved. I put part of the the props.conf

[modsec:audit]
SHOULD_LINEMERGE = false
TRUNCATE = 99999
LINE_BREAKER = -{2,3}[a-zA-Z0-9]{8}-{1,3}Z-{2}([\r\n]+)-{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}
TIME_PREFIX = -{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}\n[
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none

directly on the heavyforwarders and keep the other part of the configuration in the TA on the indexers.

0 Karma

D2SI
Communicator

Alright, great!

0 Karma

kochera
Communicator

Hi,

find below the sample.

cheers,
Andy

---6uIk3EEg---A--
[27/Aug/2019:15:35:57 +0200] 7fc42219c6c4d351842309e9d537dc9c 13.93.46.20 34698 13.93.46.20 443
---6uIk3EEg---B--
POST /services/collector/event HTTP/1.1
Host:
Authorization: Splunk 75B1123F-D42B-47A8-8146-F24704BE9C70
Accept-Encoding: gzip, deflate
Connection: keep-alive
Accept: /
Content-Length: 382
User-Agent: python-requests/2.9.1
---6uIk3EEg---F--
HTTP/1.1 200
Server: nginx
Date: Tue, 27 Aug 2019 13:35:57 GMT
Content-Length: 27
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Connection: keep-alive
Vary: Authorization
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000
---6uIk3EEg---H--
ModSecurity: Warning. Matched "Operator Eq' with parameter0' against variable REQUEST_HEADERS:Content-Type' (Value:0' ) [file "/etc/modsecurity/owasp-modsecurity-crs/v3.1.1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "732"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.1.1"] [maturity "0"] [accuracy "0"] [hostname "13.93.46.20"] [uri "/services/collector/event"] [unique_id "7fc42219c6c4d351842309e9d537dc9c"] [ref "v217,3"]
ModSecurity: Warning. Matched "Operator Eq' with parameter0' against variable REQUEST_HEADERS:Content-Type' (Value:0' ) [file "/etc/modsecurity/owasp-modsecurity-crs/v3.1.1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "732"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.1.1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [hostname "13.93.46.20"] [uri "/services/collector/event"] [unique_id "7fc42219c6c4d351842309e9d537dc9c"] [ref "v217,3"]
---6uIk3EEg---J--
---6uIk3EEg---K--
---6uIk3EEg---Z--

0 Karma

D2SI
Communicator

Could you post a sample of your modsec logs?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...