Re: [mod-security-users] alternatives for waf-fle
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] alternatives for waf-fle
|
From: Steve M. <sm...@so...> - 2024-02-08 20:49:28
|
Hans, > Now I am looking for an alternative to view the alert logs. FWIW, here's a summary of the setup that my team has been using for realtime mod_security log aggregation/browsing/monitoring: On each web host: - configure mod_security to log to a newline-delimited JSON file (`SecAuditLogFormat JSON`) - use Filebeat <https://github.com/elastic/beats> to send the log data to a central log server On the central log server: - use Logstash <https://github.com/elastic/logstash> to receive the log data from all hosts, extract relevant information from the individual fields, and send it to Elasticsearch - use Elasticsearch <https://github.com/elastic/elasticsearch> as the backend to store/index/search the log data - use Kibana <https://github.com/elastic/kibana> as the web interface to perform search queries, browse individual log events, and view aggregated data as charts - use Draff <https://github.com/kosada/draff> to provide daily email summaries of interesting/unusual events This setup is more flexible than WAF-FLE — you can use it to process and browse many kinds of log data, not just mod_security. In our case, we have it ingest system logs + Apache httpd access/error logs + web application logs into the same database as mod_security logs, since it's often helpful to browse related events — e.g. the series of HTTP requests leading up to a mod_security audit event. But the drawback is that it requires more system resources than WAF-FLE (the combination of Logstash + Elasticsearch + Kibana is fairly heavyweight), and more effort to configure it initially (while Logstash supports parsing JSON, it doesn't have any specific built-in knowledge of mod_security's JSON schema). Steve |
