Filebeat Nginx Module + ModSecurity Audit Log to Same ELK Stack

In this case I am using a droplet to host django web application. I am serving it by Nginx. Also I have integrated ModSecurity WAF with Nginx. Now I have Nginx Access & Error that I am transmitting through filebeat by enabling Nginx module to my other cloud hosted ELK server. But I also want to ship ModSecurity Audit log from this droplet to my ELK server. How can I do these simultaneously?

Hey @adlp, welcome to discuss :slight_smile:

You would need to add an input with the path of the ModSecurity logs, look for example to the configuration in Filebeat to parse modsecurity json logs

In the same link you can see that parsing its contents can be a more complicated task.

Will it work when I'm already using filebeat Nginx module to ship Nginx logs? I've added input with ModSecurity Log path. But it doesn't show up in index management. I want to use Nginx module and ModSecurity log shipping together.

AFAIK ModSecurity logs to a different file, so you need to add some input for this file. This shouldn't affect your configuration for other nginx logs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.