Help with creating configuration file

Its a 2 days and cannot even break the log into section .
My log is down below.

[Wed Sep 05 11:45:56.601060 2018] [:error] [pid 5303:tid 140044044035840] [client] [client] ModSecurity: Warning. Matched phrase "bin/bash" at ARGS:exec. [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "503"] [id "932160"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname ""] [uri "/index.html"] [unique_id "W490nPk6P93iw-4gBOMpLAAAAA8"]

fields i need are marked in bold.
can any one help me with a example configuration file for filtering.?

Wasn't the example I gave you yesterday (in another thread) helpful?

its was working on the grok debugger. But not in the configuration file.

I suggest you continue that thread and show us what configuration you used and what the results coming out of Logstash were.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.