Re: Modsecurity charts not working?

macdock · ‎05-15-2013

I have splunk using the local mod sec audit folder ( containing concurrent logs ) and I am able to search through the entries alright, but I am not seeing results or charts for any of the predefined stuff. I am using ModSec 2.7

Also there are literally thousands of sources ( and growing ) is this a bad thing?

macdock · ‎05-22-2013

Did you look to see what that 500 internal server was in your httpd error_log ?

avigs · ‎05-22-2013

splunk will only let me choose a file, not a directory for the data source.
I've tried waf-fle but I get a 500 error when trying to send the log messages with mlogc

avigs · ‎05-23-2013

i figured out the issue and was able to use waf-fle. Why do you think it's better? I can't drill down the reports to find all the paths requested. It would seem splunk has more sophisticated filters

avigs · ‎05-22-2013

there's no error being logged.

macdock · ‎05-22-2013

Did you look to see what that 500 internal server was in your httpd error_log ?

macdock · ‎05-21-2013

I just specified the data folder as the data source, the ms app did the rest. I am using waf-fle now though, works much better. http://www.waf-fle.org

avigs · ‎05-21-2013

how were you able to get splunk to use the concurrent logs?

Modsecurity charts not working?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation