forked from bitsofinfo/logstash-modsecurity
-
Notifications
You must be signed in to change notification settings - Fork 0
/
2000_filter_sections_split.conf
45 lines (43 loc) · 1.82 KB
/
2000_filter_sections_split.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
filter {
if [type] == "mod_security" {
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Due to the complexity of the collapsed single string
# we get from multiline and the variance of exactly
# which modsec sections (A-K) may or may not be in each
# log entry, we run some custom ruby code that will
# split on each modsec "section" and store each found in
# new fields named "rawSection[A-K]" as appropriate, the value
# of each of these fields contains the raw un-parsed data
# from that modsec section. Sections that are non-existant
# will not have a key in "fields"
#
# A bit long and crazy yes, but after spending many hours
# just doing this w/ grok patterns, this ended up being the
# most reliable way to break up this in-consistent format into
# more usable blocks
#
# @see https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
#
# READ the above to get a good understanding of the sections
# and which ones can actively contain data depending on your modsec
# version and environment!
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ruby {
code => "
if !event['message'].nil?
modSecSectionData = event['message'].split(/(?:--[a-fA-F0-9]{8}-([A-Z])--)/)
modSecSectionData.shift
for i in 0..((modSecSectionData.length-1)/2)
sectionName = 'rawSection'.concat(modSecSectionData.shift)
sectionData = modSecSectionData.shift
sectionName = sectionName.strip
if !sectionData.nil?
sectionData = sectionData.strip
end
event.to_hash.merge!(sectionName => sectionData)
end
end
"
}
}
}