logstash modsecurity - limithit/ModSecurity GitHub Wiki
edit/etc/nginx/modsecurity/modsecurity.conf
SecAuditLogFormat JSON
SecAuditLogParts ABCIJDEFHZ
logstash
tail -f /var/log/modsec_audit.log | jq
systemctl enable logstash --now less /etc/logstash/conf.d/modsecurity.conf
input {
file {
path => ["/var/log/modsec_audit.log"]
codec => json
}
}
output {
elasticsearch {
hosts => "192.168.1.2:9200"
index => "modsecurity-%{+YYYY.MM.dd}"
}
}
filebeat
systemctl enable filebeat --now cat /etc/filebeat/modsecurity.yml
filebeat.inputs:
- type: log
enabled: true
encoding: UTF-8
paths: /var/log/modsec_audit.log
json.keys_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["192.168.1.2:9200"]
index: "modsecurity-%{+yyyy.MM.dd}"
setup.template.name: "modsecurity"
setup.template.pattern: "modsecurity-*"
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.overwrite: true