Adding modsecurity acquisitions

dimmthewitted · January 26, 2022, 4:52pm

When I try to replay a modsecurity log I get an error that there are no matching patterns.

I have the modsecurity collection installed.

When I look at my acquistion list:
cat acquis.yaml

I only see apache2 log filenames.
I do not see: modsec_audit.log or mod_jk.log
I believe these are default out of box log files.

I have the parser.

PARSERS

crowdsecurity/modsecurity enabled 0.9 /etc/crowdsec/parsers/s01-parse/modsecurity.yaml

Is it possible the parsers don’t have patterns for these modsecurity logs?
Do I need to re-run my wizard.sh or manually add to the acquis.yaml ?

I wonder if there is a list of what log files / collections that there exists patterns in the parsers.

BRSS73 · January 28, 2022, 12:23pm

The modsecurity parser use the Apache error log file.

Add this to your acquis.yaml file (adjust the error log according your configuration):

filenames:
  - /var/log/apache2/error.log
labels:
  type: modsecurity
---

Topic		Replies	Views
Issue with Apache / modsec - replay	4	1019	January 28, 2022
Modsecurity parser failures crowdsec	1	19	December 2, 2024
ModSecurity with Nginx: not parsed?	8	1468	October 24, 2023
ModSecurity with Nginx: not parsed but in k8s env? crowdsec	1	309	March 7, 2024
What types for apache / modsec Replay old logs? crowdsec	2	639	January 24, 2022