logstash modsecurity - limithit/ModSecurity GitHub Wiki

edit/etc/nginx/modsecurity/modsecurity.conf
SecAuditLogFormat JSON
SecAuditLogParts ABCIJDEFHZ

logstash

tail -f /var/log/modsec_audit.log | jq

systemctl enable logstash --now less /etc/logstash/conf.d/modsecurity.conf

input {
  file {
    path => ["/var/log/modsec_audit.log"]
    codec =>   json
  }

}

output {
    elasticsearch {
      hosts => "192.168.1.2:9200"
      index => "modsecurity-%{+YYYY.MM.dd}"
    }
}

filebeat

systemctl enable filebeat --now cat /etc/filebeat/modsecurity.yml

filebeat.inputs:
- type: log
  enabled: true
  encoding: UTF-8
  paths: /var/log/modsec_audit.log
  json.keys_under_root: true
  json.overwrite_keys: true

output.elasticsearch:
  hosts: ["192.168.1.2:9200"]
  index: "modsecurity-%{+yyyy.MM.dd}"
setup.template.name: "modsecurity"
setup.template.pattern: "modsecurity-*"
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.overwrite: true