Hello!
We have been using Mod_Sec for awhile in a large Apache reverse proxy
environment with:
SecAuditLogType Concurrent
We have now deployed the ModSecurity Add-on for Splunk in our test
environment to ingest these logs (https://splunkbase.splunk.com/app/3391/).
However it is unclear if we are expected to convert to:
SecAuditLogType Serial
The docs for the TA seem to only imply Serial mode, but neither mode is
ever referenced specifically. Only a link to:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secauditengine
is provided as a Mod_Sec config reference. As this reference states, and as
we have experienced:
Concurrent : One file per transaction is used for audit logging.
This approach is more scalable when heavy logging is required
(multiple transactions can be recorded in parallel). It is also
the only choice if you need to use remote logging.
We currently have our monitor stanza configured to just ingest the per
transation audit files in the audit_log directory. This seems to be working,
but we are not clear if this is a supported or recommended approach. Are we
required to convert to Serial mode, or perhaps use ModSecurity Log Collector
(mlogc) or similar to send audit logs to a central repository? What is the
recommended approach to work with this TA in a large Mod_Sec deployment?
Btw, we also have the ModSecurity App for Splunk deployed on our search heads
to visualize the data.
Thanks for your time!
-pat.
... View more