Re: [mod-security-users] Reading Concurrent Logs into Graylog
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Reading Concurrent Logs into Graylog
|
From: Jason M. <jm...@te...> - 2016-10-20 03:10:29
|
Just applied the patch and recompiled. So far so good. Thank you for your help! From: Robert Paprocki [mailto:rpa...@fe...] Sent: Wednesday, October 19, 2016 6:33 PM To: mod...@li... Subject: Re: [mod-security-users] Reading Concurrent Logs into Graylog On Wed, Oct 19, 2016 at 4:06 PM, Jason Mull <jm...@te...<mailto:jm...@te...>> wrote: I think that might be the issue…I went ahead and enabled the multiline module in nxlog.conf and all of the info instantly started coming through. I’m assuming that the multiline module is adding the newline that GrayLog wants to see. Any thoughts on whether this setup could cause me any issues down the line? Not sure about 'down the line', but tbh I think ModSecurity should write a trailing newline to concurrent logs. You could rebuild modsec with this patch: https://patch-diff.githubusercontent.com/raw/SpiderLabs/ModSecurity/pull/1233.diff Which will append newline to concurrent JSON logs. This seems like a saner solution than hoping other tooling in your stack is capable of handling data without newline delimitation. |
