Oh thanks a bunch Andrew.
I'll need to look further into it, I had been trying to use the audit log as the source for ingestion, however the results were not as I had hoped. when using Modsecurity on an IIS server the default logging is sent to the Application event log, that is why I opted to move over to Winlogbeat.
Not only does it grab the modsecurity logging for me it brings in all of the other event channels which is a free value added bonus in our environment.
It felt like the low hanging fruit got lower for a few minutes there..
I'll see if the SecAuditLogFormat JSON directive has any effect on the data inserted into the event log.
It is somewhat confusing for me at times, I'm very green and I have a mountain of expectations to deliver before I have the luxury of sitting down for formal training.. ugh.. catch 22
if you have any other ideas I'd love to hear them. thanks for replying to my post.
Thanks!