ModSecurity
Splunk is the perfect solution to monitor your log files and ModSecurity is the ultimate WAF to secure your web application,
ModSecurity integrates with Apache, Nginx or IIS and can mitigate bad behavior against your webapplication
What can the app for ModSecurity do for you?
The app for ModSecurity includes three different dashboards and a couple of searches which visualize you ModSecrity events in a good way. The app also includes a .csv file which includes some open proxies, you may manually update this .csv file with more known proxies or other bad IP addresses the app for ModSecurity then correlate this information with your Modsecurity events.
Dependencies:
This app uses Maxmind to do local geo mapping and Sideview utils for populating dropdown menu.
This app is developed for the OWASP CRS ruleset and ModSecurity, both Serial and Concurrent logging in ModSecurity works.
"ModSecurity is a product developed by Trustwave's SpiderLabs Team https://www.trustwave.com/spiderLabs.php and made available under an open source licence.
SpiderLabs is engaged to popularize web application firewall technologies and make them widely accessible."
Download the app and extract the .gz under your $SPLUNK_HOME/etc/apps directory on your search head or install within the manager.
Restart your Splunk instance
If you have a separated index server copy the props.conf file located under $splunkpath/etc/apps/modsecurity/default/ to your indexing servers.
The default config assumes that your modsec_audit.log file has the sourcetype "modsec_audit" and that you using the default "main" index to store your events.
If you want to use another sourcetyp or index you need to change the configuration so it matches your environment, you change your configuration within the included configuration page under main menu "app for Modsecurity->Configuration"
If you whant to make the change manually this is the place where the configuratino take place.
In "spunk -> Manager -> Advanced search -> Search macros" change the following stanzas.
modsec_index -> index="your indexes"
modsec_src -> sourcetype="your modsec sourcetype name"
Licenses
Splunk for ModSecurity uses third party components
Updated to support the IOS (iPad, iPhone) which means no more flash graphs.
This update includes configuration control for Sideview utils, improvement of the menu and change of event search.
Minor changes, including a README.txt
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.