made a note about section E and fix doc

bitsofinfo · bitsofinfo · commit 6af0db004935 · 2014-01-28T09:23:33.000-07:00
diff --git a/logstash-modsecurity.conf b/logstash-modsecurity.conf
@@ -29,6 +29,11 @@
 # Recommend you run this without the "-- web" option and just
 # hook up Kibana separately.
 #
+# Enable the "-v" verbose option when starting logstash
+# to aid in debugging things. Disable the "-v" option
+# when running in real/non-debug environment
+#
+#
 ##########################################################
 ##########################################################
 
@@ -62,7 +67,7 @@ filter {
   # which modsec sections (A-K) may or may not be in each
   # log entry, we run some custom ruby code that will
   # split on each modsec "section" and store each found in
-  # new fields named "section[X]" as appropriate, the value
+  # new fields named "rawSection[A-K]" as appropriate, the value
   # of each of these fields contains the raw un-parsed data
   # from that modsec section. Sections that are non-existant
   # will not have a key in "fields"
@@ -71,6 +76,12 @@ filter {
   # just doing this w/ grok patterns, this ended up being the
   # most reliable way to break up this in-consistent format into
   # more usable blocks
+  #
+  # @see https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
+  #
+  # READ the above to get a good understanding of the sections
+  # and which ones can actively contain data depending on your modsec
+  # version and environment!
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
   ruby {
@@ -144,6 +155,15 @@ filter {
      }
 
   }
+  
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  # Optionally deal w/ Section E (intended response data)
+  # this is not always present
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  if [rawSectionE] =~ /.+/ {
+    # you can deal w/ this if you want to here...
+  }
 
 
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -393,8 +413,18 @@ filter {
 }
 
 output {
+
+  # turn this off when ready to run in a 
+  # real prod environment and get rid of the 
+  # "-v" flag when starting logstash
   stdout {
     debug => true
   }
-   elasticsearch { embedded => true }
+  
+  # ideally you do NOT want to be running an 
+  # embedded elasticsearch in your logstash 
+  # process, you should be writing to a remote
+  # elasticsearch instance (i.e. at least another
+  # separate process from the logstash engine)
+  elasticsearch { embedded => true }
 }
