I've installed and configured elasticstack on CentOS 8, using the packages in the elasticsearch repos. Once of the first log sources I'm toying with is mod_security. Of course, the format of these logs is totally brutal, so it's been challenging. I see quite a bit of work has been to make this easier, but I'm struggling with the "best" or most "efficient" way to ingest/parse these.
-
I've seen a filterset for mod_security on github (https://github.com/bitsofinfo/logstash-modsecurity). Can I just feed these logs via a standard filebeats module and use this logstash filter set to parse them? Do I need to create a custom filebeats module to get these logs into logstash?
-
I've seen a logstash plugin to parse these (https://github.com/isaaceindhoven/logstash-filter-modsec). Does this make more sense than using the filter set? Would I need custom filebeats modules to feed these logs in?
There are just so many options and approaches, I'm not confident in which route is the more standard or the more efficient. Any advice would be helpful.
Thanks for any help!