Hi jsoriano, thanks for the welcome!
Since Version 2.9.1 Mod Security accepts json format as log structure, this is my config:
# Log everything we know about a transaction.
SecAuditLogParts ABCIJDEFHZ
SecAuditLogFormat JSON
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecAuditLogParts defines which information you want to log, in this guide you can see the meaning of each letter: https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats but in general words:
A: Http Audit Log header
B: Http Request headers
C: Request Body
H: Audit Log Trailer (contains sub fields like message, server)
Z: End of log
I see that filebeat is parsing well every field from the json log, but the message field from the "H" Audit Log Trailer has sub fields separated by [], that info is really useful for troubleshooting the WAF and creating visualizations like top matching rules, attacks, etc.