Skip to content

My Research project about integrating Modsecurity log with ELK-Stack (Elastic Search, Logstash, and Kibana ) as Web Dashboard i.e GUI for analysing the log and manage them as statistical graph based on the real time attacks.

Notifications You must be signed in to change notification settings

Intika-Linux-Server/WAF-Log-Modsecurity-Dashboard

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 

Repository files navigation

Modsecurity-WAF-Dashboard (ELK-Stack)

Research Project aboiut integrating Modsecurity log with ELK-Stack (Elastic Search, Logstash, and Kibana ) as Web Dashboard i.e GUI for analysing the log and manage them as statistical graph based on the real time attacks.

[FOS] Demo WAF Dashboard

Alt text

Set Up Instruction:

  1. Install ModSecurity 2.x in your machine and configure the SecAuditLogType as Serial
  2. Configure SecAuditLog /var/log/modsecurity/audit/modsec_audit.json
  3. Dowload ELK latest version or 5.4.0 tar archieve or install it in machine

Note: I tried with 5.4.0 version by downloading the tar file and running it directly in my machine, it was working fine. I am not sure about lastest version.

 - Elasticsearch-5.4.0
 - Kibana-5.4.0
 - logstash-5.4.0
  1. Create Logstash cofig file and provide the following config with log path as mention below
   input {
       file{
           type => "modsecurity"
           path => ["/var/log/modsecurity/audit/modsec_audit.json"]
           start_position => beginning         
       }

  }
  filter {
    json {
   source => "message"
  }
  }

  output {
       elasticsearch {
           hosts => "localhost"
           index => "logstash.json"
       }

       stdout {
           codec => rubydebug
       }
   }

  1. Run Elastic Search binary directly from bin directory i.e /**/elasticsearch-5.4.0/bin or start the service if you have installed it
  2. Run Kibana binary directly from bin directory with sudo i.e /**/kibana-5.4.0-linux-x86_64/bin or start the service if you have installed it.
  3. Run the Logstash binary with option -f providing your logstash config file location with sudo if required.
  4. Check the status Elastic Search, Kibana & Logstash in terminal if you are running directly as binary.
  5. Go to http://localhost:5601/ (Kibana UI)
  6. Click Management section and select index pattern
  7. Click add button and provide pattern as * and click create.
  8. Go to dashboard section and click your index pattern.
  9. Select required field to show in dashboard from avaiable field secction and click add.
  10. Start testing the Web application with malicious payload, which will be logged by modsecurity.
  11. ModSecurity log event will be indexed by kibana and will be show in dashboard as real time.

Support !

Email address: [email protected] for more details.

Useful links:

  1. Modsecurity
  2. Kali
  3. ELK-Stack

About

My Research project about integrating Modsecurity log with ELK-Stack (Elastic Search, Logstash, and Kibana ) as Web Dashboard i.e GUI for analysing the log and manage them as statistical graph based on the real time attacks.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published