How to parse the mod security log.. plz help

sujeetjha · December 16, 2020, 1:58pm

hey i want to parse mod_security log using logstash. when i have checked the logstash it is working fine.

logstash.service - logstash
     Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-12-16 13:47:10 UTC; 8min ago
   Main PID: 439976 (java)
      Tasks: 34 (limit: 4710)
     Memory: 581.2M
     CGroup: /system.slice/logstash.service
             └─439976 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+U>

Dec 16 13:47:35 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:35,439][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearc>
Dec 16 13:47:35 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:35,517][INFO ][logstash.outputs.elasticsearch][main] Using a default >
Dec 16 13:47:35 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:35,620][INFO ][logstash.outputs.elasticsearch][main] Attempting to in>
Dec 16 13:47:35 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:35,858][INFO ][logstash.javapipeline    ][main] Starting pipeline {:p>
Dec 16 13:47:37 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:37,688][INFO ][logstash.javapipeline    ][main] Pipeline Java executi>
Dec 16 13:47:37 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:37,934][INFO ][logstash.inputs.file     ][main] No sincedb_path set, >
Dec 16 13:47:37 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:37,962][INFO ][logstash.javapipeline    ][main] Pipeline started {"pi>
Dec 16 13:47:38 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:38,024][INFO ][logstash.agent           ] Pipelines running {:count=>>
Dec 16 13:47:38 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:38,061][INFO ][filewatch.observingtail  ][main][33f4c5ed2f5da08dc2c60>
Dec 16 13:47:38 ip-172-31-11-54 logstash[439976]: [2020-12-16T13:47:38,408][INFO ][logstash.agent           ] Successfully started Logsta>
~

this is filter/configuration file i am using right now plz show me where i have to do the modification in this file..

log of logstash :- 

y=>:disabled}
[2020-12-16T13:47:35,620][INFO ][logstash.outputs.elasticsearch][main] Attempting to install template {:manage_template=>{"index_patterns"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
[2020-12-16T13:47:35,858][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/0000_header.conf", "/etc/logstash/conf.d/1000_input_stdin_example.conf", "/etc/logstash/conf.d/2000_filter_sections_split.conf", "/etc/logstash/conf.d/2010_filter_section_a_parse.conf", "/etc/logstash/conf.d/2020_filter_section_b_parse_request_line.conf", "/etc/logstash/conf.d/2021_filter_section_b_headers_key-value.conf", "/etc/logstash/conf.d/2030_filter_section_c_parse.conf", "/etc/logstash/conf.d/2060_filter_section_f_parse_request_line.conf", "/etc/logstash/conf.d/2061_filter_section_f_parse_headers.conf", "/etc/logstash/conf.d/2062_filter_section_f_headers_key-value.conf", "/etc/logstash/conf.d/2080_filter_section_h_parse_messages_to_auditLogTrailerMessages.conf", "/etc/logstash/conf.d/2081_filter_section_h_convert_to_key-value.conf", "/etc/logstash/conf.d/2082_filter_section_h_extract_stopwatch.conf", "/etc/logstash/conf.d/2110_filter_section_k_parse_matchedRules.conf", "/etc/logstash/conf.d/2500_filter_cleanup.conf", "/etc/logstash/conf.d/3000_output_stdout_example.conf"], :thread=>"#<Thread:0x1cd608d1 run>"}
[2020-12-16T13:47:37,688][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>1.82}
[2020-12-16T13:47:37,934][INFO ][logstash.inputs.file     ][main] No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_d93f7c914e44f33a906e09781c1ec728", :path=>["/home/ubuntu/logs/*.log"]}
[2020-12-16T13:47:37,962][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2020-12-16T13:47:38,024][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-12-16T13:47:38,061][INFO ][filewatch.observingtail  ][main][33f4c5ed2f5da08dc2c60137eb619b53d3659a66fec98babc5b238fb7ac3d47b] START, creating Discoverer, Watch with file and sincedb collections
[2020-12-16T13:47:38,408][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

system · January 13, 2021, 1:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.