When matching against Audit Log Header (Part A), as it is implemented at the moment, the last audit log entry will not be processed until the next log entry is written to the log file, because logstash is still waiting for the next Audit Log Header (Part A) to match. If using SecAuditLogType Concurrent no modsecurity log entry will ever by processed, as every file does include only one modsecurity log entry and therefore never a second Audit Log Header (Part A) will show up.
When matching against Audit Log Header (Part A), as it is implemented at the moment, the last audit log entry will not be processed until the next log entry is written to the log file, because logstash is still waiting for the next Audit Log Header (Part A) to match. If using
SecAuditLogType Concurrentno modsecurity log entry will ever by processed, as every file does include only one modsecurity log entry and therefore never a second Audit Log Header (Part A) will show up.