[mod-security-users] Send Mod_Security Log / Alert to Remote Syslog Server or SIEM
Brought to you by:
victorhora,
zimmerletw
From: termvrl t. <te...@gm...> - 2013-11-08 15:46:06
|
Mod_security configuration Dear All, i'm new to web server security. i have a few question on modsecurity and web server. first, let me brief what i try to do. I have apache server running a DVWA web application on ubuntu 12.04 64bit. I installed modsecurity on that server to detect and generated alert on attacks. Alert that generated from modsecurity than pass to a remote syslog server using rsyslog. And i also want to monitor the web server nic and cpu usage, so that i can create a benchmark before and after implement modsecurity to web server. My questions: 1) i want to monitor the nic and cpu usage for a period of time. Appreciate if you suggest scripts/tools for that. 2) i noticed that logging for modsecurity quiet challenging. Anyone can share with me how to send modsecurity log/alert to remote server. What i have doned, using local rsyslog in web server, i take the modsecurlty_audit.log as input for rsyslog, and then send it to remote syslog server. My problem is, the log send line by line. 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: --e7b0fc0d-F-- 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: HTTP/1.1 304 Not Modified 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: Last-Modified: Tue, 30 Apr 2013 22:46:46 GMT 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: ETag: "1a06ac-2e4-4db9bc6a5a180" 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: Accept-Ranges: bytes 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: Content-Length: 0 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: Vary: Accept-Encoding 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: Keep-Alive: timeout=5, max=100 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: Connection: Keep-Alive 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: Content-Type: application/javascript 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: --e7b0fc0d-E-- 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: --e7b0fc0d-H-- 11/7/2013 10:54:28 PM UDP Traffic Received from 192.168.0.13: 192.168.0.13|<187>Nov 7 06:54:26 ubuntu tag1: Message: Rule 7fb26ee5aa30 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). Appreciate your helps. Thanks Term |