It has apparently no effect.
I have performed a different troubleshooting on Splunk 6 but still doesn't show any modsecurity events.
Details of how it's configured:
1) ModSecurity
It uses the collector "mlogc" configured with the following tokens
LogStorageDir "/var/modsecurity/var/audit"
The collector works and it created events in directory chunks as expected. Each directory has a modsecurity raw file.
2) Access Rights
access rights to /var/modsecurity/var/audit is apache.apache. Apache is the Web server user process owner. The splunk user owns the Splunk daemon and it's part of the apache group. Only the /opt/modsecurity/var/audit is owned by the apache group. The /opt/modsecurity/var access right is owned by the root group. So, if splunk needs access to traverse the entire path, then this might be a problem.
3) Splunk ModSecurity
the /usr/local/splunk/etc/apps/modsecurity/local/macros.conf includes
[modsec_src]
disabled = 0
definition = sourcetype="Linux_Mod_Security"
the /usr/local/splunk/etc/apps/modsecurity/default/macros.conf includes
[modsec_index]
definition = index="modsecurity"
iseval = 0
[modsec_src]
;definition = sourcetype="modsec_audit"
definition = sourcetype="Linux_Mod_Security"
iseval = 0
The Splunk index /usr/local/splunk/var/lib/splunk/modsecurity shows its correct structure but I see no indexes and it's empty.
Splunk ModSecurity was installed via Splunk applications installer, together with "aamap", "MAXMIND", "sideviewutils" , "GoogleMaps".
4) Splunk server
Indexes list confirms "modsecurity" index is empty or events collected "0":
Data Input /var/modsecurity/var/audit shows:
Set Host -----> Constant Value
Host Field Value -------> The Splunk server server.domain.com
Set the source type ----> Manual
Source Type -------> Linux_Mod_Security
index --------> modsecurity
Deployment Monitor
It doesn't show any errors in SourceType warnings.
Am I missing something? Is it possible that either Splunk or Splunk Modsecurity are not able to index events created by the ModSecurity mlogc collector and expect a single flat file instead (not recommended in a production environment)?
Thanks. Any assistance will be appreciated.
Salvo
... View more