How to integrate ModSecurity events to Splunk Ente...

noybin · ‎04-11-2016

Hi,

I need to make events I am receiving from a Modsecurity available and formatted for Splunk Enterprise Security. I have a distributed environment.

I know that I have to turn them into CIM, add tags, eventtype, extract fields, and create aliases.

Is it mandatory to create a custom add-on for achieving the goal? If not, which files.conf do I have o change (inside which path)?
Is there any tutorial/example on how to integrate a non natively supported device into Enterprise Security?
The changes (tags, eventtype, extract fields and create aliases) have to be done on the Indexer, Search Head, or both?
Am I missing something else?

Thank you very much.
Regrads.

martin_mueller · ‎04-11-2016

It's customary to create a TA for your case. Not technically mandatory, but really - do create a TA. Files to create include props.conf, transforms.conf, eventtypes.conf, tags.conf, possibly lookups, maybe more.
There are some examples in the CIM docs at http://docs.splunk.com/Documentation/CIM/4.4.0/User/UsetheCIMtonormalizeOSSECdata and I believe there have been .conf talks as well, here's one: http://conf.splunk.com/session/2015/recordings/2015-splunk-186.mp4
CIM configurations typically are search-time, those need to be on the search head. Nothing terrible happens if you have them on the indexer as well though.
There is an older app for ModSecurity on splunkbase, but it might not be CIM-compatible: https://splunkbase.splunk.com/app/880/

martin_mueller · ‎04-11-2016

If you follow the naming convention TA-foo, ES will automatically load your TA.

Differently named TAs can be imported too, but there really is no need to deviate from the convention. http://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#The_Update_ES_modular...

noybin · ‎04-12-2016

Thanks Martin,

I've created a new directory in $SPLUNK_HOME/etc/apps/TA-ltmodsec
I've created a directory $SPLUNK_HOME/etc/apps/TA-ltmodsec/default
and I created a trasforms.conf and a props.conf inside the default folder.

props.conf

[source::udp:10514]
TRANSFORMS-001_rewrite_modsecurity_sourcetype = set_sourcetype_modsecurity
[modsecurity]
EXTRACT-modsec-client = \[client\s(?P[^\]]+)\]
EXTRACT-accion = ^(?:[^\.\n]*\.){6}\d+\] ModSecurity:\s+(?P[^\[]+)\s+\[
EXTRACT-modsec_id = \[id \"(?P[^\"]+)"\]

transforms.conf

[set_sourcetype_modsecurity]
SOURCE_KEY = MetaData:Host
REGEX = (52\.86\.132\.70)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::modsecurity

That didn't work.
When I move those files to $SPLUNK_HOME/etc/apps/search/local/ it works correctly.
Am I missing something in the addon I've created.

Thank you very much.
Regards.

martin_mueller · ‎04-12-2016

There isn't much to miss. Create directory, create .conf file, restart Splunk, done.

noybin · ‎04-11-2016

Hi, Thanks for your reply.

So, after creating a custom TA, does Enterprise Security load it automatically, or I should do something for ES to load the TA?

Are there specifiations when creating the TA such as TA's name and configuration?

Thanks again.

niemesrw · ‎04-11-2016

Hi noybin - this might help:

http://docs.splunk.com/Documentation/ES/3.3.3/CreateTA/GenericExample

You don't need to create a TA specifically, you can modify the local props & transforms if you want. And you only need to make changes on the search head.

I usually just put any modifications into the local search app or local ES app. The full path would be something like:

/opt/splunk/etc/apps/search/local
props.conf/tags.conf/transforms.conf /etc.

How to integrate ModSecurity events to Splunk Enterprise Security?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases