Ship Your ModSecurity Logs to Logz.io Cloud SIEM

Now, you can ship ModSecurity logs to Logz.io to automatically surface high-priority attacks identified by ModSecurity. Logz.io will automatically parse those logs to project a greater bird’s-eye-view of your security situation within dedicated dashboards.

ModSecurity is a prolific web application firewall (WAF) popularly used to help secure web servers. It supports Apache HTTP, IIS, and NGINX. It can deploy either as a proxy server or within a web server itself. It sits on top of the web server, along with any plugins or add-ons. ModSecurity works on the OWASP ModSecurity Core Rules Set (CRS) that contains a number of prebuilt patterns to identify attacks. 

The current iteration, ModSecurity 3.0, operates as a separate module from Apache rather than earlier versions. ModSecurity also lets users take advantage of the Lua API for advanced NGINX users (NGINX is built in Lua).

The first step is to set up the shipping method from the firewalls to Logz.io.

ModSecurity & Logz.io

There are some prereqs before installing:

1. An Apache2 Web Server and Terminal access to the the server’s instance
2. Install the ModSecurity Module
3. Import the OWASP ModSecurity Core Rule Set (CRS)
4. Install Filebeat 7 (full tutorial)

Next, in order to connect ModSecurity and Logz.io, first download the Logz.io public certificate:

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Next, open up your Filebeat configuration file at filebeat.yml. Add the following:

- type: log
  paths:
    - /var/log/apache2/error.log
    - /var/log/apache2/access.log
  fields:
    logzio_codec: json
    token: <<LOGZIO-SHIPPING-TOKEN>>
    type: modsecurity
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h

#If from a version prior to Version 7 of the ELK Stack, use path /var/lib/filebeat/registry
filebeat.registry.path: /var/lib/filebeat

Next, configure the Filebeat processors:

processors:
- rename:
    fields:
     - from: "agent"
       to: "beat_agent"
    ignore_missing: true
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true

And finally, the output to Logz.io:

output:
  logstash:
    hosts: ["<<LISTENER-HOST>>:5015"]
    ssl:
      certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Once you get it going and import the CRS rules, you’re also going to get some logs that are static and not from the CRS.

Subsequently, go to the prefab ModSecurity – Malicious Activity dashboard to see the logs.

Logz.io highlights five main rules for ModSecurity. The first one, detecting SQL information leaks, detects attempts to get into the network. It is set at medium severity. In the event of such an alert, hit Investigate to see the logs and review the fields msg, data, and modsecmessage. Then rule out penetration testing and extract the IOC. The next four are all rated at high severity: cross-site scripting, remote command executions, high-risk PHP function calls, and an SQL injection attack. 

You can set up easy alerts based on any of these rules.

Let’s break down what’s happening in this dashboard. Within each donut chart, the middle section represents the top five IPs or hosts; the outer layer represents the remainder. 

The first chart highlights Malicious SQL activity, organizing events by host. XSS activity refers to cross-site scripting, detected also via the host. Injection activities might indicate a longer chain of attacks that will also appear in the previous two charts. 

Put another way, any incident might present itself in multiple vectors, thus appearing in multiple parts of your logs. 

Just where and how frequently paints a much better picture of what the ModSecurity firewall is contending with.

Select any log to get deeper detail:

Conclusion

Collecting and coalescing data from a sprawl of tools is likely to define the beginning of the new decade in DevOps. Logz.io streamlines all that data using a set of rules and dashboards to offer a wide window into your entire security stack, from firewalls to endpoints and identifying attacks. The result is a firewall you can use and monitor for quality thanks to Logz.io Cloud SIEM, to protect your network and maintain insight into its security.