Modsecurity charts not working?

macdock · ‎05-15-2013

I have splunk using the local mod sec audit folder ( containing concurrent logs ) and I am able to search through the entries alright, but I am not seeing results or charts for any of the predefined stuff. I am using ModSec 2.7

Also there are literally thousands of sources ( and growing ) is this a bad thing?

macdock · ‎05-22-2013

Did you look to see what that 500 internal server was in your httpd error_log ?

avigs · ‎05-22-2013

splunk will only let me choose a file, not a directory for the data source.
I've tried waf-fle but I get a 500 error when trying to send the log messages with mlogc

avigs · ‎05-23-2013

i figured out the issue and was able to use waf-fle. Why do you think it's better? I can't drill down the reports to find all the paths requested. It would seem splunk has more sophisticated filters

avigs · ‎05-22-2013

there's no error being logged.

macdock · ‎05-22-2013

Did you look to see what that 500 internal server was in your httpd error_log ?

macdock · ‎05-21-2013

I just specified the data folder as the data source, the ms app did the rest. I am using waf-fle now though, works much better. http://www.waf-fle.org

avigs · ‎05-21-2013

how were you able to get splunk to use the concurrent logs?

Modsecurity charts not working?

Introduction to Splunk AI

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Maximizing the Value of Splunk ES 8.x

Are you a member of the Splunk Community?

Modsecurity charts not working?

Introduction to Splunk AI

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Maximizing the Value of Splunk ES 8.x