Re: [mod-security-users] Reading Concurrent Logs into Graylog
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Reading Concurrent Logs into Graylog
|
From: Robert P. <rpa...@fe...> - 2016-10-20 15:15:05
|
Thanks for the quick turnaround! Apologies this slipped through the cracks when developing the original work. Cheers! Jason I'd be curious to hear about your use case with JSON audit logs. Exciting to see people are getting use out of it! On Thu, Oct 20, 2016 at 7:18 AM, Felipe Costa <FC...@tr...> wrote: > Hi, > > The patch is applied to v2/master (and master). > > Thanks Robert. > > Br., > > *Felipe “Zimmerle” Costa * > > Security Researcher, Lead Developer ModSecurity. > > > > *Trustwave* | SMART SECURITY ON DEMAND > > www.trustwave.com > > > From: Jason Mull <jm...@te...> > Reply-To: "mod...@li..." < > mod...@li...> > Date: Thursday, October 20, 2016 at 12:10 AM > To: "ro...@cr..." <ro...@cr...>, " > mod...@li..." <mod-security-users@lists. > sourceforge.net> > Subject: Re: [mod-security-users] Reading Concurrent Logs into Graylog > > Just applied the patch and recompiled. So far so good. Thank you for > your help! > > > > *From:* Robert Paprocki [mailto:rpa...@fe... > <rpa...@fe...>] > *Sent:* Wednesday, October 19, 2016 6:33 PM > *To:* mod...@li... > *Subject:* Re: [mod-security-users] Reading Concurrent Logs into Graylog > > > > > > > > On Wed, Oct 19, 2016 at 4:06 PM, Jason Mull <jm...@te...> wrote: > > I think that might be the issue…I went ahead and enabled the multiline > module in nxlog.conf and all of the info instantly started coming through. > I’m assuming that the multiline module is adding the newline that GrayLog > wants to see. Any thoughts on whether this setup could cause me any issues > down the line? > > > > Not sure about 'down the line', but tbh I think ModSecurity should write a > trailing newline to concurrent logs. You could rebuild modsec with this > patch: > > > > https://patch-diff.githubusercontent.com/raw/SpiderLabs/ModSecurity/pull/ > 1233.diff > <https://scanmail.trustwave.com/?c=4062&d=2raI2KnXqNcl5KpB2HpKeuH3TjDYkWDwzChha7ontA&s=5&u=https%3a%2f%2fpatch-diff%2egithubusercontent%2ecom%2fraw%2fSpiderLabs%2fModSecurity%2fpull%2f1233%2ediff> > > > > Which will append newline to concurrent JSON logs. This seems like a saner > solution than hoping other tooling in your stack is capable of handling > data without newline delimitation. > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > |
