Fluentd output (filter) plugin for parsing events from ModSecurity audit logs
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib/fluent/plugin
Gemfile
Gemfile.lock
LICENSE
README.md
fluent-plugin-modsecurity.gemspec

README.md

fluentd-modsecurity

Fluentd output (filter) plugin for parsing a ModSecurity audit log

This is intended to serve as an example starting point for how to ingest parse entries from a ModSecurity audit log file using fluentd into a more first-class structured object that can then be forwarded on to another output.

Getting Started

More info and example output:

ModSecurity Audit Log format:

Prerequisites

Build the gem

gem build fluent-plugin-modsecurity.gemspec

Install the gem to fluentd

fluent-gem install ./fluent-plugin-modsecurity-0.2.gem

Deployment

Example fluent.conf setup.

# (1) Consume the input
<source>
  @type tail
  tag raw-modsec
  path /path/to/modsec_audit.log
  <parse>
    @type multiline
    format_firstline /^-{2,3}][a-zA-Z0-9]{8}-{2,3}A--$/
    format1 /(?<message>.*)/
  </parse>
</source>

# (2) Massage it via this plugin to a more structured object
<match raw-modsec>
  @type modsecurity-audit-format
  tag modsec-formatted
</match>

# (3) Output to stdout
<match modsec-formatted>
  @type stdout
</match>

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details