Hi, I have a modsec logfile that looks like this:
--8afa774c-A--
[24/Feb/2023:04:34:53 +0100] Y-WoWiTsAtEsT123 12.139.152.111 14327 10.29.14.193 8080
--8afa774c-B--
POST /its/a/test/dude HTTP/1.1
Host: www.my-site.de
Content-Type: text/plain
Origin: https://www.my-site.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1
Referer: https://www.my-site.com/
Content-Length: 129
Accept-Language: de-DE,de;q=0.9
X-Forwarded-For: 123.123.123.123
WL-Proxy-Client-IP: 123.123.123.123
Cookie: BIGipServerpool_pfe_https=!WoWiTsAtEsT123=; jsessionid=WoWiTsAtEsT123-WoWiTsAtEsT123-WoWiTsAtEsT123-WoWiTsAtEsT123!WoWiTsAtEsT123!8001!-1!-123123123!WoWiTsAtEsT123!8001!-1
--8afa774c-C--
data..
--8afa774c-F--
data..
--8afa774c-H--
data..
--8afa774c-Z--
We cannot use the JSON format for ModSecurity. Is there a way to combine this data with the respective header in logstash(--8afa774c-A--)?
We would like the following format:
--8afa774c-A-- [24/Feb/2023:04:34:53 +0100] Y-WoWiTsAtEsT123 12.139.152.111 14327 ...
--8afa774c-B-- POST /its/a/test/dude HTTP/1.1 Host: www.my-site.de Content-Type: text/plain ...
Thanks