hi thanks for your reply,

im not clear with the part how you deploy the waf-fle.
Did you duplicate the audit log from modsec? and send one to central syslog server and another to waf-fle?
Or the flow is like this, modsec (audit log) --> waf-fle (with script to extract and create  a new log) --> send to central syslog server.

Thanks




On Mon, Nov 11, 2013 at 7:10 PM, Winfried Neessen <neessen@cleverbridge.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

> From this two type of log from modsec, usually which one is more usefull?
>
In general the Audit log is more useful, as you can configure it to log all
the information that mod_sec sees and processes. For an in-depth analysis of
the traffic you wanna go for the audit log.

The error log basically holds some consolidated informations. From the
example
you provided that apache error log should be sufficient to get the
information
you need for your SIEM and probably easier to parse as well.

The way we are doing it, is to configure mlogc to let the auditlog log to a
central logging server running WAF-FLE[1] and to let the secondary auditlog
parameter run a customer perl script, that parses the audit log file,
extracts
the needed informations and sends them to a central remote syslog server.

That way, we can run quick analysis on the syslog entries and if we need
something in-depth we can extract those information from WAF-FLE.


BR,
Winni

[1] = http://www.waf-fle.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/
Charset: utf-8

iQGcBAEBAgAGBQJSgLskAAoJEHA9PkTtvSL4ngIL/R6dnYgHRaUXy3tQp/zRVsYe
h4i020q80LrpRq8NHSDBENFfSeMKsIQ0dxyhVJsvLnVQ2/a8XAymkg4rfMF2Y2+E
xqrxZ9sWPAPWHSw86t6FJLTRyP0dfamxSGIuF1uZ1nTFlQCgfXxpJHiiZa6IPA7+
YmmI9grSeKuD/9j5NgbWxwBaAEs3URIBth0S7af+pgRHsfQRk4FTwWzgPW3gU9Yr
aPPI8h7tHyiNznt4yzvTt3Km9n7jip1smwUgLOK+qDFnmw9SKlmFwPBG3ZcUzJHT
b+qDJHOlWxGAb+2zp8wYFUfHJLU9JfUbVkVrMJztFBgKbA/lkoFT7RHY9Ma/upd/
TxFKuA8scAuzjFx/W0t03IKAbds3LuTJNJInfEfpB2ki0rYg9M6uUggFktkSpa3T
Rm9aLYYuHr6rk6daT1i7/UUlKStdf3hqZrYG55h/cRx3LQ0k7OeNAilodRdwNqcd
6wgDJnMoxR1RPqNmqPbb8wIEinbnGxMcBGQfTQ3rEg==
=g/lc
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/