Re: [mod-security-users] Reading Concurrent Logs into Graylog
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Reading Concurrent Logs into Graylog
|
From: Felipe C. <FC...@tr...> - 2016-10-20 15:03:32
|
Hi, The patch is applied to v2/master (and master). Thanks Robert. Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Jason Mull <jm...@te...<mailto:jm...@te...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Thursday, October 20, 2016 at 12:10 AM To: "ro...@cr...<mailto:ro...@cr...>" <ro...@cr...<mailto:ro...@cr...>>, "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] Reading Concurrent Logs into Graylog Just applied the patch and recompiled. So far so good. Thank you for your help! From: Robert Paprocki [mailto:rpa...@fe...] Sent: Wednesday, October 19, 2016 6:33 PM To: mod...@li...<mailto:mod...@li...> Subject: Re: [mod-security-users] Reading Concurrent Logs into Graylog On Wed, Oct 19, 2016 at 4:06 PM, Jason Mull <jm...@te...<mailto:jm...@te...>> wrote: I think that might be the issue…I went ahead and enabled the multiline module in nxlog.conf and all of the info instantly started coming through. I’m assuming that the multiline module is adding the newline that GrayLog wants to see. Any thoughts on whether this setup could cause me any issues down the line? Not sure about 'down the line', but tbh I think ModSecurity should write a trailing newline to concurrent logs. You could rebuild modsec with this patch: https://patch-diff.githubusercontent.com/raw/SpiderLabs/ModSecurity/pull/1233.diff<https://scanmail.trustwave.com/?c=4062&d=2raI2KnXqNcl5KpB2HpKeuH3TjDYkWDwzChha7ontA&s=5&u=https%3a%2f%2fpatch-diff%2egithubusercontent%2ecom%2fraw%2fSpiderLabs%2fModSecurity%2fpull%2f1233%2ediff> Which will append newline to concurrent JSON logs. This seems like a saner solution than hoping other tooling in your stack is capable of handling data without newline delimitation. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
