icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading ModSecurity Add-on for Splunk
SHA256 checksum (modsecurity-add-on-for-splunk_142.tgz) 669551e7710bf916dcf26cc860f3bed4f33636863ffdae055919e2087e6b8553 SHA256 checksum (modsecurity-add-on-for-splunk_141.tgz) 9b92c31ea5bc48f1b223b8c702a28dd980a0b8c980aba0f46f7667dd4e7cf5e4 SHA256 checksum (modsecurity-add-on-for-splunk_14.tgz) 86866f4d9bcbfbb32e654c71115d9343ea40a0c54bc3a608f88860d095e9b1b3 SHA256 checksum (modsecurity-add-on-for-splunk_13.tgz) 5cfafd1c0617e8f4b5a2a99acf6a460ba18cbe172056cd376235f58c6e863886 SHA256 checksum (modsecurity-add-on-for-splunk_12.tgz) e7971a61da1c092923fd32a3db78eff105c937cb3e60b07b290105136b0382ac SHA256 checksum (modsecurity-add-on-for-splunk_11.tgz) efe3a0701b286fa146ab412949261ed1d33f4da08f7d0ee58d67cbf04c34dd50 SHA256 checksum (modsecurity-add-on-for-splunk_10.tgz) 313ac63f7449c63ab12a58241706504d005a594380850dcd5410985c939904ba
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

ModSecurity Add-on for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
ModSecurity Add-on for Splunk provides CIM compliant field extractions and data enrichment for your ModSecurity Web Application Firewall data. This Add-on can be used on his own in order to normalize your Web Application Firewall data. To profit from configured dashboards it can also be used in conjunction with ModSecurity App for Splunk.

ModSecurity® Add-on for Splunk®

ModSecurity Add-on for Splunk provides CIM compliant field extractions and data enrichment for your ModSecurity Web Application Firewall data. This Add-on can be used on his own to normalize your Web Application Firewall data. To profit from configured dashboards it can also be used in conjunction with ModSecurity App for Splunk.

Version 1.4.2

Release Notes

1.4.2: January 2019
- Minor fixes to pass AppInspect

1.4.1: January 2019
- Removed an unused entry from transforms.conf

1.4: October 2017
- Added support for alternate ModSecurity alerts

1.2: March 2017
- Corrected fields extractions for Intrusion Detection event datasets
- Added fields extractions for Web event datasets

1.1: January 2017
- Added TIME_FORMAT definition for greater efficiency

1.0: November 2016
- Initial release

Install ModSecurity Add-on for Splunk:

Deploy ModSecurity Add-on for Splunk on your Splunk platform. For distributed environments, ModSecurity Add-on for Splunk needs to be deployed on the Search Head as well as on Indexer(s).

Enable audit logging in ModSecurity

ModSecurity audit logs need to be enabled and several resources describe the process. One of them is the reference manual hosted on GitHub: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secauditengine

Collect ModSecurity audit logs

Your Splunk Universal Forwarder hosting ModSecurity should be configured to monitor ModSecurity's audit logs and forward it to your Splunk Indexer or Heavy Forwarder.

To achieve this, a local inputs.conf should be manually configured or deployed via a Deployment Server to monitor modsec_audit.log file which default location is /var/log/httpd/modsec_audit.log

A sample configuration is provided in the Add-on README directory:

[monitor:///var/log/httpd/modsec_audit.log] 
sourcetype = modsec:audit

If needed, please refer to "Monitor files and directories using the Universal Forwarder" on Splunk Docs.

ModSecurity data can be indexed in the default main index as well as in a dedicated one.

If the data is indexed in a dedicated index, this index should be searchable by default by the relevant role. This can be configured under Settings: Access controls : Roles : <role to="" edit=""> : ModSecurity dedicated index (if any) should be added in "Indexes" as well as in "Indexes searched by default".

Sourcetype:

The configured sourcetype is "modsec:audit"

CIM Tags:

  • Alerts
  • Intrusion Detection
  • Web

For any help on this App, contact splunk-(at)-nomios.fr

Release Notes

Version 1.4.2
Jan. 22, 2019

- Minor fixes to pass AppInspect

Version 1.4.1
Jan. 22, 2019

- Removed an unused entry from transforms.conf

Version 1.4
Oct. 23, 2017

- Added support for alternate ModSecurity alerts

Version 1.3
Oct. 21, 2017

- Added support for alternate ModSecurity alerts

Version 1.2
March 30, 2017

- Corrected fields extractions for Intrusion Detection event datasets
- Added fields extractions for Web event datasets

Version 1.1
Jan. 8, 2017

- Added TIME_FORMAT definition for better efficiency

Version 1.0
Nov. 24, 2016

- Initial release

163
Installs
1,073
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.