Solved: Re: Why is this event splitting into three single ...

kochera · ‎08-26-2019

Hi,

Our raw events from mod_security logfile are split into three different events.
I've tried multiple settings in props.conf without success.
Current config is:

[modsec:audit]
SHOULD_LINEMERGE = false
TRUNCATE = 0
NO_BINARY_CHECK = true
#LINE_BREAKER = (\-{2,3}[a-zA-Z0-9]{8}\-{1,3}Z\-{2}([\r\n]+)\-{2,3}[a-zA-Z0-9]{8}\-{1,3}A\-{2})
LINE_BREAKER = ([\r\n]+)(\-{2,3}[a-zA-Z0-9]{8}\-{1,3}A\-{2})
MAX_TIMESTAMP_LOOKAHEAD = 32
MAX_EVENTS = 1024
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none

Cheers,
Andy

kochera · ‎08-28-2019

problem solved. I put part of the the props.conf

[modsec:audit]
SHOULD_LINEMERGE = false
TRUNCATE = 99999
LINE_BREAKER = -{2,3}[a-zA-Z0-9]{8}-{1,3}Z-{2}([\r\n]+)-{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}
TIME_PREFIX = -{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}\n[
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none

directly on the heavyforwarders and keep the other part of the configuration in the TA on the indexers.

View solution in original post

kochera · ‎08-28-2019

problem solved. I put part of the the props.conf

[modsec:audit]
SHOULD_LINEMERGE = false
TRUNCATE = 99999
LINE_BREAKER = -{2,3}[a-zA-Z0-9]{8}-{1,3}Z-{2}([\r\n]+)-{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}
TIME_PREFIX = -{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}\n[
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none

directly on the heavyforwarders and keep the other part of the configuration in the TA on the indexers.

D2SI · ‎08-29-2019

Alright, great!

kochera · ‎08-27-2019

Hi,

find below the sample.

cheers,
Andy

---6uIk3EEg---A--
[27/Aug/2019:15:35:57 +0200] 7fc42219c6c4d351842309e9d537dc9c 13.93.46.20 34698 13.93.46.20 443
---6uIk3EEg---B--
POST /services/collector/event HTTP/1.1
Host:
Authorization: Splunk 75B1123F-D42B-47A8-8146-F24704BE9C70
Accept-Encoding: gzip, deflate
Connection: keep-alive
Accept: /
Content-Length: 382
User-Agent: python-requests/2.9.1
---6uIk3EEg---F--
HTTP/1.1 200
Server: nginx
Date: Tue, 27 Aug 2019 13:35:57 GMT
Content-Length: 27
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Connection: keep-alive
Vary: Authorization
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000
---6uIk3EEg---H--
ModSecurity: Warning. Matched "Operator Eq' with parameter0' against variable REQUEST_HEADERS:Content-Type' (Value:0' ) [file "/etc/modsecurity/owasp-modsecurity-crs/v3.1.1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "732"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.1.1"] [maturity "0"] [accuracy "0"] [hostname "13.93.46.20"] [uri "/services/collector/event"] [unique_id "7fc42219c6c4d351842309e9d537dc9c"] [ref "v217,3"]
ModSecurity: Warning. Matched "Operator Eq' with parameter0' against variable REQUEST_HEADERS:Content-Type' (Value:0' ) [file "/etc/modsecurity/owasp-modsecurity-crs/v3.1.1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "732"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.1.1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [hostname "13.93.46.20"] [uri "/services/collector/event"] [unique_id "7fc42219c6c4d351842309e9d537dc9c"] [ref "v217,3"]
---6uIk3EEg---J--
---6uIk3EEg---K--
---6uIk3EEg---Z--

D2SI · ‎08-27-2019

Could you post a sample of your modsec logs?

Why is this event splitting into three single events

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor