Merge pull request #10 from equick/master

updates for Redhat based systems

Author: bitsofinfo

README.md

@@ -29,5 +29,23 @@ This config file for whatever reason will not run if you try to add the "-- web"
 
 Also recommend you start logstash like "java -jar logstash-x.x.x-flatjar.jar agent -v -f /yourConf.conf"  The "-v" will give verbose output and help you debug issues. Also DON'T run in "-v" mode in a prod environment as you will end up outputting a ton of data to your console and/or logstash stdout capture file. (if you have one)
 
+Further note for Centos/Red Hat/Fedora Systems
+----------------------------------------------
 
+If logstash has been installed from the logstash repository (http://www.logstash.net/docs/1.4.2/repositories), follow these steps:
+
+1. Set the path in logstash-modsecurity.conf to path => "/var/log/httpd/modsec_audit.log"
+2. Copy logstash-modsecurity.conf to /etc/logstash/conf.d
+3. Copy logstash_modsecurity_patterns to /opt/logstash/patterns/
+4. Give read access to the logstash user on /var/log/httpd/modsec_audit.log
+
+`setfacl -m u:logstash:r /var/log/httpd/modsec_audit.log`
+
+5. Restart the logstash agent
+
+`systemctl restart logstash`
+
+6. Confirm mod_security messages are logged to standard output
+
+`tail -f /var/log/logstash/logstash.stdout`
 

logstash-modsecurity.conf

@@ -44,6 +44,7 @@ input {
     # that your server writes these log files in
     charset => "US-ASCII"
     path => "/path/to/your/modsec/audit/logs/*.log"
+    type => "mod_security"
   }
 }
 
@@ -59,6 +60,7 @@ filter {
     pattern => "^--[a-fA-F0-9]{8}-A--$"
     negate => true
     what => previous
+    type => "mod_security"
   }
 
 
@@ -180,7 +182,7 @@ filter {
               match => {
                       "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+)$"
                       }
-              patterns_dir => "./patterns/modsecurity_grok_patterns"
+              patterns_dir => "./patterns/logstash_modsecurity_patterns"
       }
 
   # response section (WITH headers)
@@ -191,7 +193,7 @@ filter {
             match => {
                     "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+)\n{1}"
                     }
-            patterns_dir => "./patterns/modsecurity_grok_patterns"
+            patterns_dir => "./patterns/logstash_modsecurity_patterns"
     }
 
   } 
@@ -431,14 +433,6 @@ output {
   # turn this off when ready to run in a 
   # real prod environment and get rid of the 
   # "-v" flag when starting logstash
-  stdout {
-    debug => true
-  }
+  stdout { }
 
-  # ideally you do NOT want to be running an 
-  # embedded elasticsearch in your logstash 
-  # process, you should be writing to a remote
-  # elasticsearch instance (i.e. at least another
-  # separate process from the logstash engine)
-  elasticsearch { embedded => true }
 }