Change Log format

Hello!

I want to change format of below mentioned log. I am new to Elk any help will be much appreciated. Thanks

[Mon Oct 02 13:14:00.967345 2023] [security2:error] [pid 186:tid 140439170467520] [client 192.168.76.181:51316] [client 192.168.76.181] ModSecurity: Warning. Pattern match "((?:[~!@#\$%\^&\\(\)\-\+=\{\}\[\]\|:;"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98<>] ?){6})" at ARGS:data.accountNumber. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1414"] [id "942431"] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)"] [data "Matched Data: -A-010-01-01-1000- found within ARGS:data.accountNumber: 1014-A-010-01-01-1000-8"] [severity "WARNING"] [ver "OWASP_CRS/3.3.5"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/3"] [hostname "waf"] [uri "/fsm/TNS_FT_1_A_VL_N"] [unique_id "ZRrCGHUNdbJ411i8RvA2ZgAAAMA"], referer: https://staging.abc-faceit.org/TNS_FT_1_A_VL_N_Super8

Hi @Suleman_Ahmed,

Great to hear you're using ELK. How are you ingesting your logs into Elasticsearch? And can you give an example of what transformations that you want to apply?

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.