What types for apache / modsec Replay old logs?

crowdsec
1

Replay documentation is a great start!

What are the replay types I should use with : -type log_file_type
I would guess that these match the collection yaml tags.

such as:
cat /etc/crowdsec/collections/apache2.yaml
tags:

  • linux
  • apache2
  • crawl
  • scan

so we would have to put type: apache2 not apache or httpd but then I look at:
cat /etc/crowdsec/collections/modsecurity.yaml
tags:

  • linux
  • web
  • waf

so if we want to manual inspect an apache / modsec stack

we have to manually run for each file:
Apache:
crowdsec -dsn file://var/log/httpd/NonDefaultSite/ssl_error_log-20211205-type apache2
crowdsec -dsn file://var/log/httpd/NonDefaultSite/error_log-20211205-type apache2
crowdsec -dsn file://var/log/httpd/NonDefaultSite/access_log-20211205-type apache2

ModSecurity:
crowdsec -dsn file://var/log/httpd/NonDefaultSite/modsec_audit.log-20211205 -type waf
crowdsec -dsn file://var/log/httpd/NonDefaultSite/mod_jk.log-20211205-type waf
crowdsec -dsn file://var/log/httpd/NonDefaultSite/mod_rewrite-20211205-type waf

Are the above collection types for manually loading files into Metabase dashboard correct?

Thank you!

2

Hello !

You should match the type from the acquisition. So for apache2 it would be -type apache2 and for modsecurity it would be -type modsecurity :slight_smile:

Yes they will !

You’re welcome :slight_smile:

3

Makes sense. For later clarification:

An acquisition is a log. A collection can be a single or group of acquisitions or logs collected.

from:

Acquisition contain a parser and a tag.

When adding a file for manual replay the type declared should be the type of the collection after the crowdsecurity/.

cscli collections list

Examples:

Apache:
crowdsec -dsn file:///var/log/httpd/NonDefaultSite/access_log-20201204 -type apache2

ModSecurity:
crowdsec -dsn file:///var/log/httpd/NonDefaultSite/modsec_audit.log-20201204 -type modsecurity