Hey Gang, I'm really hoping for some help on this one.
Previously we have been struggling on getting our Sophos XG working as a WAF solution, this has proven to be a bit daunting due to the fact that Sophos has basically locked down and useful customizations on the appliance.
This brought us to needing to install Modsecurity on each of our IIS servers.. this is probably going to be a home run solution for us but logging is a bit hard ot get working.
Previously with the XG's we had to do a hacky process of tailing the reverseproxylog in the firewall with some creative tools and while it works ok, it is still just that , a HACK..
Moving on we immideately fell in love with the server based install mainly for the freedom to configure it the way we feel fit, but also because this version of Modsecurity reports all warnings, critical and other information into the Application log under event viewer!!
This seems like a perfect case for Winlogbeat.
Not only can we look at modsecurity events, we also can get every other event generated in every respect at our fingertips in one index.. LOVE IT!
what I don't love and desperately need help figuring out is how to break apart the event log record. What I mean is that the entire text is placed in the winlog.event_data.param1 field and I don't know how to break it apart for searching.
for instance here is what I see in kibana under the when I set up the filters agent.hostname: SERVER1, event.provider: ModSecurity and view the winlog.event_data.param1 field.
[client 192.168.0.0] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "C:/Program Files/ModSecurity IIS/owasp_crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Failed to parse request body."] [tag "event-correlation"] [hostname "SERVER1"] [uri "/xv/xvservices.asmx/CheckClaims"] [unique_id "10016018801918738991"]
This data is all fine and dandy, but if I want to query the field I get stuck..
Nothing comes back.. or I just can't seem to figure out how to do it properly.
Suppose I wanted to build some visualizations bases on the id number as in [id "980130'] as shown above.
How do I achieve this task? I don't know if its something that should be addresses in ECS? I'm not sure. we previously used some filters in logstash to break down the stream from the firewall itself, but since the data is easily available in the event viewer I'd love to be able to use this ingestion method since it's already working and the logstash route is cumbersome with this particular pipeline. thanks!