Splunk Search

Modsecurity charts not working?

New Member

I have splunk using the local mod sec audit folder ( containing concurrent logs ) and I am able to search through the entries alright, but I am not seeing results or charts for any of the predefined stuff. I am using ModSec 2.7

Also there are literally thousands of sources ( and growing ) is this a bad thing?

Tags (2)
0 Karma

New Member

Did you look to see what that 500 internal server was in your httpd error_log ?

0 Karma

New Member

splunk will only let me choose a file, not a directory for the data source.
I've tried waf-fle but I get a 500 error when trying to send the log messages with mlogc

0 Karma

New Member

i figured out the issue and was able to use waf-fle. Why do you think it's better? I can't drill down the reports to find all the paths requested. It would seem splunk has more sophisticated filters

0 Karma

New Member

there's no error being logged.

0 Karma

New Member

Did you look to see what that 500 internal server was in your httpd error_log ?

0 Karma

New Member

I just specified the data folder as the data source, the ms app did the rest. I am using waf-fle now though, works much better. http://www.waf-fle.org

0 Karma

New Member

how were you able to get splunk to use the concurrent logs?

0 Karma