|
From: Winfried N. <ne...@cl...> - 2013-11-11 11:10:36
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, > From this two type of log from modsec, usually which one is more usefull? > In general the Audit log is more useful, as you can configure it to log all the information that mod_sec sees and processes. For an in-depth analysis of the traffic you wanna go for the audit log. The error log basically holds some consolidated informations. From the example you provided that apache error log should be sufficient to get the information you need for your SIEM and probably easier to parse as well. The way we are doing it, is to configure mlogc to let the auditlog log to a central logging server running WAF-FLE[1] and to let the secondary auditlog parameter run a customer perl script, that parses the audit log file, extracts the needed informations and sends them to a central remote syslog server. That way, we can run quick analysis on the syslog entries and if we need something in-depth we can extract those information from WAF-FLE. BR, Winni [1] = http://www.waf-fle.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ Charset: utf-8 iQGcBAEBAgAGBQJSgLskAAoJEHA9PkTtvSL4ngIL/R6dnYgHRaUXy3tQp/zRVsYe h4i020q80LrpRq8NHSDBENFfSeMKsIQ0dxyhVJsvLnVQ2/a8XAymkg4rfMF2Y2+E xqrxZ9sWPAPWHSw86t6FJLTRyP0dfamxSGIuF1uZ1nTFlQCgfXxpJHiiZa6IPA7+ YmmI9grSeKuD/9j5NgbWxwBaAEs3URIBth0S7af+pgRHsfQRk4FTwWzgPW3gU9Yr aPPI8h7tHyiNznt4yzvTt3Km9n7jip1smwUgLOK+qDFnmw9SKlmFwPBG3ZcUzJHT b+qDJHOlWxGAb+2zp8wYFUfHJLU9JfUbVkVrMJztFBgKbA/lkoFT7RHY9Ma/upd/ TxFKuA8scAuzjFx/W0t03IKAbds3LuTJNJInfEfpB2ki0rYg9M6uUggFktkSpa3T Rm9aLYYuHr6rk6daT1i7/UUlKStdf3hqZrYG55h/cRx3LQ0k7OeNAilodRdwNqcd 6wgDJnMoxR1RPqNmqPbb8wIEinbnGxMcBGQfTQ3rEg== =g/lc -----END PGP SIGNATURE----- |
