Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
82 lines (73 sloc) 2.7 KB
# -------------------------------------------------------------------------------
# Name: ModSecurity audit log extractor
# Purpose: This conf file is based on accepting logs for modsec_audit.log from ModSecruity +2.9.1 in JSON format
#
# Author: mleos
# Email: spartantri@gmail.com
# Last Update: 28/10/2017
#
# Copyright: (c) spartantri cybersecurity
# Licence: Apache2
# -----------------------------------------------------------------------------
filter {
if [type] == "auditjson" {
json { "source" => "message" }
grok {
match => {"path" => "%{GREEDYDATA:directory}/%{DATA:vhost}/(?<apache2_logtype>modsec_audit\.log)$"}
add_tag => ["modsec","%{host}","%{vhost}","%{apache2_logtype}","grokked"]
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
if "grokked" not in [tags] {
mutate {
add_field => {"[@metadata][dstindex]" => "logstash-jsonerror-%{+YYYY.MM.dd}"}
}
}
if "grokked" in [tags] {
mutate {
add_field => {"[@metadata][dstindex]" => "logstash-json-%{+YYYY.MM.dd}"}
add_field => {"client" => "%{[transaction][remote_address]}"}
add_field => {"uniqueId" => "%{[transaction][transaction_id]}"}
add_field => {"response_status" => "%{[response][status]}"}
remove_field => "message"
}
mutate {
convert => {"response_status" => "integer"}
}
split {
field => "[audit_data][error_messages]"
target => "error_message"
add_field => {"[@metadata][dstindex]" => "logstash-json-%{+YYYY.MM.dd}"}
remove_field => "[audit_data]"
remove_field => "[request][body]"
remove_field => "[response][body]"
add_tag => ["splitted"]
}
}
if "splitted" in [tags] {
kv {
allow_duplicate_values => false
field_split => "\[\]"
value_split => " "
source => "[error_message]"
target => "messagelist"
include_keys => ["id","mesage","severity","data","tag","client","uri"]
}
}
translate {
dictionary => ["123456","ignore"]
field => "[messagelist][id]"
destination => "[messagelist][id]"
override => "true"
}
if [messagelist][id] in "ignore" {
drop { }
}
if [error_message] =~ /ModSecurity: Access denied/ {
mutate {
add_tag => ["block"]
}
}
}
}