|
From: Winfried N. <ne...@cl...> - 2013-11-12 09:17:43
|
Hi,
> im not clear with the part how you deploy the waf-fle.
> Did you duplicate the audit log from modsec? and send one to central
syslog
> server and another to waf-fle?
> Or the flow is like this, modsec (audit log) --> waf-fle (with script to
extract
> and create a new log) --> send to central syslog server.
>
Snippet from my config:
71 ## Concurrent audit logging via mlogc
72 PassEnv HOST_NAME
73 SecAuditLogType Concurrent
74 SecAuditLog "|/path/to/mlogc
/path/to/modsecurity/etc/mlogc_${HOST_NAME}.conf"
75 SecAuditLog2 "|/path/to/logparse.pl"
76 SecAuditLogParts ABIJDEFHKZ
77 SecAuditEngine RelevantOnly
78 SecAuditLogRelevantStatus "^(?:5|4(?!0[14]))"
The SecAuditLog and SecAuditLog2 directives are the relevant parts, that
take care of the submission. mlogc sends the audit log to WAF-FLE,
logparse.pl
sends the stuff to the central syslog server.
See:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secauditlo
g
To avoid a race-condition you need to configure mlogc via "KeepEntries" to
not
delete the audit entries after successful submission and let the parser
script
take care of it.
HTH,
Winni
|
