Deserializing Modsecurity Audit logs with Apache Flume

This post will be updated in the coming days/weeks, however when looking at using Apache Flume to ingest some ModSecurity Audit logs, it quickly became apparent that Flume's SpoolingDirectorySource lacked the ability to de-serialized "events" from a file that spanned many "new lines" (\n). Lacking this support, and seeing that an outstanding ticket already existed … Continue reading Deserializing Modsecurity Audit logs with Apache Flume →

Logstash for ModSecurity audit logs

Recently had a need to take tons of raw ModSecurity audit logs and make use of them. Ended up using Logstash as a first stab attempt to get them from their raw format into something that could be stored in something more useful like a database or search engine. Nicely enough, out of the box, … Continue reading Logstash for ModSecurity audit logs →