Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/bitsofinfo/fluentd-modsecurity

Fluentd output (filter) plugin for parsing events from ModSecurity audit logs
https://github.com/bitsofinfo/fluentd-modsecurity

Last synced: 3 months ago
JSON representation

Fluentd output (filter) plugin for parsing events from ModSecurity audit logs

Awesome Lists containing this project

README 

          
# fluentd-modsecurity



[Fluentd](http://fluentd.org/) output (filter) plugin for parsing a [ModSecurity](https://www.modsecurity.org/) audit log



This is intended to serve as an example starting point for how to ingest

parse entries from a ModSecurity audit log file using fluentd into a more first-class

structured object that can then be forwarded on to another output.



## Getting Started



More info and example output:

* http://bitsofinfo.wordpress.com/2013/11/11/modsecurity-audit-logs-fluentd/



ModSecurity Audit Log format:

* https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats

* https://www.nginx.com/blog/modsecurity-logging-and-debugging/



### Prerequisites



Build the gem

```

gem build fluent-plugin-modsecurity.gemspec

``` 



Install the gem to fluentd

```

fluent-gem install ./fluent-plugin-modsecurity-0.2.gem

``` 



## Deployment



Example fluent.conf setup.



```

# (1) Consume the input



  @type tail

  tag raw-modsec

  path /path/to/modsec_audit.log

  

    @type multiline

    format_firstline /^-{2,3}][a-zA-Z0-9]{8}-{2,3}A--$/

    format1 /(?.*)/

  



# (2) Massage it via this plugin to a more structured object



  @type modsecurity-audit-format

  tag modsec-formatted



# (3) Output to stdout



  @type stdout



```



## License



This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENSE) file for details