|
From: termvrl t. <te...@gm...> - 2013-11-11 16:25:54
|
hi thanks for your reply, im not clear with the part how you deploy the waf-fle. Did you duplicate the audit log from modsec? and send one to central syslog server and another to waf-fle? Or the flow is like this, modsec (audit log) --> waf-fle (with script to extract and create a new log) --> send to central syslog server. Thanks On Mon, Nov 11, 2013 at 7:10 PM, Winfried Neessen <ne...@cl...>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > > From this two type of log from modsec, usually which one is more usefull? > > > In general the Audit log is more useful, as you can configure it to log all > the information that mod_sec sees and processes. For an in-depth analysis > of > the traffic you wanna go for the audit log. > > The error log basically holds some consolidated informations. From the > example > you provided that apache error log should be sufficient to get the > information > you need for your SIEM and probably easier to parse as well. > > The way we are doing it, is to configure mlogc to let the auditlog log to a > central logging server running WAF-FLE[1] and to let the secondary auditlog > parameter run a customer perl script, that parses the audit log file, > extracts > the needed informations and sends them to a central remote syslog server. > > That way, we can run quick analysis on the syslog entries and if we need > something in-depth we can extract those information from WAF-FLE. > > > BR, > Winni > > [1] = http://www.waf-fle.org/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/ > Charset: utf-8 > > iQGcBAEBAgAGBQJSgLskAAoJEHA9PkTtvSL4ngIL/R6dnYgHRaUXy3tQp/zRVsYe > h4i020q80LrpRq8NHSDBENFfSeMKsIQ0dxyhVJsvLnVQ2/a8XAymkg4rfMF2Y2+E > xqrxZ9sWPAPWHSw86t6FJLTRyP0dfamxSGIuF1uZ1nTFlQCgfXxpJHiiZa6IPA7+ > YmmI9grSeKuD/9j5NgbWxwBaAEs3URIBth0S7af+pgRHsfQRk4FTwWzgPW3gU9Yr > aPPI8h7tHyiNznt4yzvTt3Km9n7jip1smwUgLOK+qDFnmw9SKlmFwPBG3ZcUzJHT > b+qDJHOlWxGAb+2zp8wYFUfHJLU9JfUbVkVrMJztFBgKbA/lkoFT7RHY9Ma/upd/ > TxFKuA8scAuzjFx/W0t03IKAbds3LuTJNJInfEfpB2ki0rYg9M6uUggFktkSpa3T > Rm9aLYYuHr6rk6daT1i7/UUlKStdf3hqZrYG55h/cRx3LQ0k7OeNAilodRdwNqcd > 6wgDJnMoxR1RPqNmqPbb8wIEinbnGxMcBGQfTQ3rEg== > =g/lc > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. > Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and > register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
