Modsecurity parser failures

moloch · November 26, 2024, 10:50am

Hi, I have some problems with the modsecurity parser.
My setup seems ok but I always get zero parsed lines from log analysis even with modsecurity critical notification.
My acquis.yaml file:

filenames:
  - /var/log/apache2/error.log
labels:
  type: modsecurity
---

Parser metrics:
Parsers                          │ Hits   │ Parsed │ Unparsed │
├──────────────────────────────────┼────────┼────────┼──────────┤
│ child-crowdsecurity/apache2-logs │ 8.54k  │ 7.04k  │ 1.50k    │
│ child-crowdsecurity/http-logs    │ 21.12k │ 16.88k │ 4.24k    │
│ child-crowdsecurity/modsecurity  │ 3.00k  │ -      │ 3.00k    │
│ child-crowdsecurity/syslog-logs  │ 9.96k  │ 9.96k  │ -        │
│ crowdsecurity/apache2-logs       │ 7.04k  │ 7.04k  │ -        │
│ crowdsecurity/cdn-whitelist      │ 1      │ 1      │ -        │
│ crowdsecurity/dateparse-enrich   │ 7.04k  │ 7.04k  │ -        │
│ crowdsecurity/geoip-enrich       │ 7.04k  │ 7.04k  │ -        │
│ crowdsecurity/http-logs          │ 7.04k  │ 5.48k  │ 1.56k    │
│ crowdsecurity/modsecurity        │ 1.50k  │ -      │ 1.50k    │
│ crowdsecurity/non-syslog         │ 8.54k  │ 8.54k  │ -        │
│ crowdsecurity/rdns               │ 1      │ 1      │ -        │
│ crowdsecurity/seo-bots-whitelist │ 1      │ 1      │ -        │
│ crowdsecurity/syslog-logs        │ 9.96k  │ 9.96k  │ -        │
│ crowdsecurity/whitelists         │ 7.04k  │ 7.04k  │ -        │

What am I doing wrong?
Thank you

moloch · December 2, 2024, 11:20am

Does anyone use the parser for modsecurity?

Topic		Replies	Views
Adding modsecurity acquisitions crowdsec	1	1331	January 28, 2022
ModSecurity with Nginx: not parsed?	8	1468	October 24, 2023
Help: caddy-logs parser failure crowdsec	5	1673	October 23, 2024
Crowdsecurity/apache2-logs parser failure (always failed) crowdsec	1	83	July 24, 2024
ModSecurity with Nginx: not parsed but in k8s env? crowdsec	1	309	March 7, 2024

Modsecurity parser failures

Related topics