Parsing mod_security JSON logs

Hi. I'm hoping someone can provide me with a little guidance and illumination.

I am new to using the ELK stack (as in green as grass) and have been given the task of putting together a system to visualise the output of our mod_security logs; amongst other things (I'm using Wazuh for the HIDS side).

Our system already produces some nice JSON output, the problem being that it is quite complicated and section of the log 'matched_rules' comes through as a nested array of objects e.g.:

chain: boolean,
rules: [
unparsed: text,
is_matched: boolean
]}, ... and many more like this.

I'm pushing these through directly as a beat and not through logstash and so far I'm having no luck in being able to properly index this data so it can be searched.

Does anyone have any pointers? (Not the canine variety though)


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.