All Apps and Add-ons
Highlighted

Why is this event splitting into three single events

Communicator

Hi,

Our raw events from mod_security logfile are split into three different events.
I've tried multiple settings in props.conf without success.
Current config is:

[modsec:audit]
SHOULD_LINEMERGE = false
TRUNCATE = 0
NO_BINARY_CHECK = true
#LINE_BREAKER = (\-{2,3}[a-zA-Z0-9]{8}\-{1,3}Z\-{2}([\r\n]+)\-{2,3}[a-zA-Z0-9]{8}\-{1,3}A\-{2})
LINE_BREAKER = ([\r\n]+)(\-{2,3}[a-zA-Z0-9]{8}\-{1,3}A\-{2})
MAX_TIMESTAMP_LOOKAHEAD = 32
MAX_EVENTS = 1024
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none

Cheers,
Andy

0 Karma
Highlighted

Re: Why is this event splitting into three single events

Communicator

Could you post a sample of your modsec logs?

0 Karma
Highlighted

Re: Why is this event splitting into three single events

Communicator

Hi,

find below the sample.

cheers,
Andy

---6uIk3EEg---A--
[27/Aug/2019:15:35:57 +0200] 7fc42219c6c4d351842309e9d537dc9c 13.93.46.20 34698 13.93.46.20 443
---6uIk3EEg---B--
POST /services/collector/event HTTP/1.1
Host:
Authorization: Splunk 75B1123F-D42B-47A8-8146-F24704BE9C70
Accept-Encoding: gzip, deflate
Connection: keep-alive
Accept: /
Content-Length: 382
User-Agent: python-requests/2.9.1
---6uIk3EEg---F--
HTTP/1.1 200
Server: nginx
Date: Tue, 27 Aug 2019 13:35:57 GMT
Content-Length: 27
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Connection: keep-alive
Vary: Authorization
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000
---6uIk3EEg---H--
ModSecurity: Warning. Matched "Operator Eq' with parameter0' against variable REQUEST_HEADERS:Content-Type' (Value:0' ) [file "/etc/modsecurity/owasp-modsecurity-crs/v3.1.1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "732"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASPCRS/3.1.1"] [maturity "0"] [accuracy "0"] [hostname "13.93.46.20"] [uri "/services/collector/event"] [unique_id "7fc42219c6c4d351842309e9d537dc9c"] [ref "v217,3"]
ModSecurity: Warning. Matched "Operator Eq' with parameter0' against variable `REQUEST
HEADERS:Content-Type' (Value: `0' ) [file "/etc/modsecurity/owasp-modsecurity-crs/v3.1.1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "732"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.1.1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [hostname "13.93.46.20"] [uri "/services/collector/event"] [unique_id "7fc42219c6c4d351842309e9d537dc9c"] [ref "v217,3"]
---6uIk3EEg---J--
---6uIk3EEg---K--
---6uIk3EEg---Z--

0 Karma
Highlighted

Re: Why is this event splitting into three single events

Communicator

problem solved. I put part of the the props.conf

[modsec:audit]
SHOULDLINEMERGE = false
TRUNCATE = 99999
LINE
BREAKER = -{2,3}[a-zA-Z0-9]{8}-{1,3}Z-{2}([\r\n]+)-{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}
TIMEPREFIX = -{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}\n[
MAX
TIMESTAMPLOOKAHEAD = 26
TIME
FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none

directly on the heavyforwarders and keep the other part of the configuration in the TA on the indexers.

View solution in original post

0 Karma
Highlighted

Re: Why is this event splitting into three single events

Communicator

Alright, great!

0 Karma