Using aggregate to add modsecurity data to previous event

Hi, I have a modsec logfile that looks like this:

[24/Feb/2023:04:34:53 +0100] Y-WoWiTsAtEsT123 14327 8080
POST /its/a/test/dude HTTP/1.1
Content-Type: text/plain
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1
Content-Length: 129
Accept-Language: de-DE,de;q=0.9
Cookie: BIGipServerpool_pfe_https=!WoWiTsAtEsT123=; jsessionid=WoWiTsAtEsT123-WoWiTsAtEsT123-WoWiTsAtEsT123-WoWiTsAtEsT123!WoWiTsAtEsT123!8001!-1!-123123123!WoWiTsAtEsT123!8001!-1





We cannot use the JSON format for ModSecurity. Is there a way to combine this data with the respective header in logstash(--8afa774c-A--)?

We would like the following format:

--8afa774c-A-- [24/Feb/2023:04:34:53 +0100] Y-WoWiTsAtEsT123 14327 ...
--8afa774c-B-- POST /its/a/test/dude HTTP/1.1 Host: Content-Type: text/plain ...

Thanks :slight_smile:

You may be able to use a multiline codec. Something like

input { file { codec => { pattern => "^--" negate => true what => "previous" auto_flush_interval => 5 } ... } }

My input typ is beats i think i cannot use multiline codec in there.


    port => 5044
    codec => multiline {
      pattern => "^--"
      negate => true
      what => "previous"
      auto_flush_interval => 5 }


[2023-02-28T19:55:17,130][ERROR][    ][main] Multiline codec with beats input is not supported. Please refer to the beats documentation for how to best manage multiline data. See

Correct. In that case you would have to do the multiline combination in filebeat instead. You should ask for help in the filebeat forum.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.