Re: [mod-security-users] alternatives for waf-fle
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] alternatives for waf-fle
|
From: Hans M. <mo...@ma...> - 2024-02-09 11:24:09
|
Hi Steve, many thanks for your hint. I stumbled already over ELK as log viewer for "mod-sec" a while ago. I am using the ELK stack on a different server for different services over many years and I am a fan of this great application. But as you wrote, it needs a lot of resources. This was the benefit of "waf-fle" as it used really less memory and CPU resources. And it was the reason for me not to switch from "waf-fle" away to ELK some time ago. But now I will give it a try maybe. I don't know "draff" but it seems that "draff" isn't really needed. Is there also a dashboard and visual libraries available in kibana for "mod-sec" logs ? If not then it's not an challenge. I developed already some. Kind regards Hans -- On 08.02.24 21:32, Steve Mokris wrote: > Hans, > >> Now I am looking for an alternative to view the alert logs. > > FWIW, here's a summary of the setup that my team has been using for realtime mod_security log aggregation/browsing/monitoring: > > On each web host: > > - configure mod_security to log to a newline-delimited JSON file (`SecAuditLogFormat JSON`) > - use Filebeat <https://github.com/elastic/beats> to send the log data to a central log server > > On the central log server: > > - use Logstash <https://github.com/elastic/logstash> to receive the log data from all hosts, extract relevant information from the individual fields, and send it to Elasticsearch > - use Elasticsearch <https://github.com/elastic/elasticsearch> as the backend to store/index/search the log data > - use Kibana <https://github.com/elastic/kibana> as the web interface to perform search queries, browse individual log events, and view aggregated data as charts > - use Draff <https://github.com/kosada/draff> to provide daily email summaries of interesting/unusual events > > This setup is more flexible than WAF-FLE — you can use it to process and browse many kinds of log data, not just mod_security. In our case, we have it ingest system logs + Apache httpd access/error logs + web application logs into the same database as mod_security logs, since it's often helpful to browse related events — e.g. the series of HTTP requests leading up to a mod_security audit event. But the drawback is that it requires more system resources than WAF-FLE (the combination of Logstash + Elasticsearch + Kibana is fairly heavyweight), and more effort to configure it initially (while Logstash supports parsing JSON, it doesn't have any specific built-in knowledge of mod_security's JSON schema). > > Steve |
