Skip to content

bitsofinfo/fluentd-modsecurity

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

fluentd-modsecurity

Fluentd output (filter) plugin for parsing a ModSecurity audit log

This is intended to serve as an example starting point for how to ingest parse entries from a ModSecurity audit log file using fluentd into a more first-class structured object that can then be forwarded on to another output.

Getting Started

More info and example output:

ModSecurity Audit Log format:

Prerequisites

Build the gem

gem build fluent-plugin-modsecurity.gemspec

Install the gem to fluentd

fluent-gem install ./fluent-plugin-modsecurity-0.2.gem

Deployment

Example fluent.conf setup.

# (1) Consume the input
<source>
  @type tail
  tag raw-modsec
  path /path/to/modsec_audit.log
  <parse>
    @type multiline
    format_firstline /^-{2,3}][a-zA-Z0-9]{8}-{2,3}A--$/
    format1 /(?<message>.*)/
  </parse>
</source>

# (2) Massage it via this plugin to a more structured object
<match raw-modsec>
  @type modsecurity-audit-format
  tag modsec-formatted
</match>

# (3) Output to stdout
<match modsec-formatted>
  @type stdout
</match>

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details

About

Fluentd output (filter) plugin for parsing events from ModSecurity audit logs

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages