Grok works in debugger but not in Logstash

therealjack404 · May 9, 2021, 3:59pm

Hi. I am struggling to write a grok pattern for Modsecurity Logs from the apache error log. I have included a sample log and the grok pattern. I isolated the timestamp creation which works on its own. However the rest works on the debugger but not in logstash. If anyone could help I would appreciate it.

[Sat May 08 13:18:27.123886 2021] [:error] [pid 8239] [client 192.168.1.1:55894] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 's&sos' [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "65"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&sos found within ARGS:id: %' OR '0' ='0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.1.2"] [uri "/DVWA/vulnerabilities/sqli/"] [unique_id "YJaPo-358QACmukNh@pOhAAAAAQ"], referer: http://192.168.1.2/DVWA/vulnerabilities/sqli/

(?<modsecuritytimestamp> %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})\] \[\:%{LOGLEVEL:loglevel}\].*client\s%{IP:src_ip}.*ModSecurity:(?<alert_message>.*)

The logs are shipped from Filebeat to my Elastic Stack machine.

Badger · May 9, 2021, 4:58pm

That grok pattern works for me

            "loglevel" => "error",
"modsecuritytimestamp" => " May 08 13:18:27.123886 2021",
              "src_ip" => "192.168.1.1",
       "alert_message" => " Warning. detected SQLi using libinjection with fingerprint \\'s&sos\\' [file \"/etc/apache2/modsecurity-crs/coreruleset-3.3.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"65\"] [id \"942100\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: s&sos found within ARGS:id: %\\' OR \\'0\\' =\\'0\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/66\"] [tag \"PCI/6.5.2\"] [hostname \"192.168.1.2\"] [uri \"/DVWA/vulnerabilities/sqli/\"] [unique_id \"YJaPo-358QACmukNh@pOhAAAAAQ\"], referer: http://192.168.1.2/DVWA/vulnerabilities/sqli/",

therealjack404 · May 9, 2021, 5:30pm

Thank you for responding. That's interesting. Would it be okay if I posted a screenshot of my configuration file? I would just copy the file but it's on a VM and difficult to get. Maybe it's something I'm missing? I can get the timestamp working but none of the rest. Anything else it could be?

therealjack404 · May 10, 2021, 1:41pm

In case someone is looking back on this the pattern works I forgot a space after the timestamp field. Thanks for helping badger

system · June 7, 2021, 1:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.