{"id":12471,"date":"2022-05-01T08:45:58","date_gmt":"2022-05-01T05:45:58","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12471"},"modified":"2024-03-09T14:52:42","modified_gmt":"2024-03-09T11:52:42","slug":"process-modsecurity-logs-using-wazuh","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/process-modsecurity-logs-using-wazuh\/","title":{"rendered":"Process ModSecurity Logs using Wazuh"},"content":{"rendered":"\n<p>This guide will take you through how to process ModSecurity logs using Wazuh. <a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">ModSecurity<\/a> WAF can be integrated with Wazuh in order to process the generated alert logs for better analysis and visualization.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Process ModSecurity Logs using Wazuh<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Install and setup Wazuh server;<\/h3>\n\n\n\n<p>If not already configured, use the guides below to install and setup Wazuh;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-wazuh-manager-on-ubuntu-22-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure Wazuh Manager on Ubuntu 22.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-wazuh-server-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Wazuh Server on Rocky Linux 8<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and Configure ModSecurity WAF<\/h3>\n\n\n\n<p>On you web servers, you need to install and activate ModSecurity WAF to protect your web server against attacks. You can use the guides below on how to install and configure ModSecurity WAF;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-modsecurity-with-apache-on-ubuntu-22-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ModSecurity with Apache on Ubuntu 22.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-modsecurity-3-with-apache-in-a-docker-container\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ModSecurity 3 with Apache in a Docker Container<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Modsecurity Logging<\/h3>\n\n\n\n<p>By default, ModSecurity logs attack related logs to HTTP server Error log file or to the ModSecurity audit logs file.<\/p>\n\n\n\n<p>In order to be able to process the ModSecurity Logs using Wazuh, the logs that are written to the HTTP server needs to be collected using Wazuh agent and pushed to the Wazuh manager for processing.<\/p>\n\n\n\n<p>In my current setup, my Modsecurity WAF is logging to Apache Error log file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>grep denied \/var\/log\/apache2\/error.log<\/code><\/pre>\n\n\n\n<p>Sample log;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Sat Apr 30 23:42:36.559613 2022] &#91;:error] &#91;pid 4504:tid 140114027435584] &#91;client 127.0.0.1:57026] &#91;client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched phrase \"bin\/ls\" at ARGS:doc. &#91;file \"\/etc\/modsecurity\/crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] &#91;line \"518\"] &#91;id \"932160\"] &#91;msg \"Remote Command Execution: Unix Shell Code Found\"] &#91;data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] &#91;severity \"CRITICAL\"] &#91;ver \"OWASP_CRS\/3.2.0\"] &#91;tag \"application-multi\"] &#91;tag \"language-shell\"] &#91;tag \"platform-unix\"] &#91;tag \"attack-rce\"] &#91;tag \"paranoia-level\/1\"] &#91;tag \"OWASP_CRS\"] &#91;tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] &#91;tag \"WASCTC\/WASC-31\"] &#91;tag \"OWASP_TOP_10\/A1\"] &#91;tag \"PCI\/6.5.2\"] &#91;hostname \"localhost\"] &#91;uri \"\/\"] &#91;unique_id \"Ym2fPFtd6Nody7X50nHgUwAAAAA\"]<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Wazuh Agent to Read ModSecurity Logs<\/h3>\n\n\n\n<p>Thus, you can now configure Wazuh agents to read the Apache error log and push the ModSecurity events to the Wazuh manager for processing.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/var\/ossec\/etc\/ossec.conf<\/code><\/pre>\n\n\n\n<p>Within the <strong><code>&lt;ossec_config&gt;<\/code><\/strong> and <strong><code>&lt;\/ossec_config&gt;<\/code><\/strong>, paste the configuration lines below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n  &lt;localfile>\n    &lt;log_format>apache&lt;\/log_format>\n    &lt;location>\/var\/log\/apache2\/access.log&lt;\/location>\n  &lt;\/localfile>\n  &lt;localfile>\n    &lt;log_format>apache&lt;\/log_format>\n    &lt;location>\/var\/log\/apache2\/error.log&lt;\/location>\n  &lt;\/localfile>\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file;<\/p>\n\n\n\n<p>Check for any syntax error;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/ossec\/bin\/wazuh-syscheckd<\/code><\/pre>\n\n\n\n<p>Exit status is 0 if no error.<\/p>\n\n\n\n<p>Restart Wazuh agent;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart wazuh-agent<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verify Wazuh ModSecurity Log Processing<\/h3>\n\n\n\n<p>By default, Wazuh manager ships with ruleset that can process ModSecurity events for better visualization and analysis.<\/p>\n\n\n\n<p>Thus, navigate to Wazuh web interface and check the events related to the Wazuh agent shipping the ModSecurity logs.<\/p>\n\n\n\n<p>Sample events;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/05\/modsecurity-wazuh.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1869\" height=\"871\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/05\/modsecurity-wazuh.png\" alt=\"Process ModSecurity Logs using Wazuh\" class=\"wp-image-12472\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/05\/modsecurity-wazuh.png?v=1651383218 1869w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/05\/modsecurity-wazuh-768x358.png?v=1651383218 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/05\/modsecurity-wazuh-1536x716.png?v=1651383218 1536w\" sizes=\"(max-width: 1869px) 100vw, 1869px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Expanding the event;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1880\" height=\"838\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/05\/wazuh-modsec-rejected-queries.png\" alt=\"Process ModSecurity Logs using Wazuh\" class=\"wp-image-12473\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/05\/wazuh-modsec-rejected-queries.png?v=1651383237 1880w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/05\/wazuh-modsec-rejected-queries-768x342.png?v=1651383237 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/05\/wazuh-modsec-rejected-queries-1536x685.png?v=1651383237 1536w\" sizes=\"(max-width: 1880px) 100vw, 1880px\" \/><\/figure>\n\n\n\n<p>And that is how you can use Wazuh to process ModSecurity Logs.<\/p>\n\n\n\n<p>Want to apply further processing to ModSecurity logs? Check the guide below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/process-and-visualize-modsecurity-logs-on-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Process and Visualize ModSecurity Logs on ELK Stack<\/a><\/p>\n\n\n\n<p>Other Tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/create-kibana-visualization-dashboards-for-modsecurity-logs\/\" target=\"_blank\" rel=\"noreferrer noopener\">Create Kibana Visualization Dashboards for ModSecurity Logs<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/restrict-access-to-wordpress-login-page-to-specific-ips-with-libmodsecurity\/\" target=\"_blank\" rel=\"noreferrer noopener\">Restrict Access to WordPress Login Page to Specific IPs with libModSecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This guide will take you through how to process ModSecurity logs using Wazuh. ModSecurity WAF can be integrated with Wazuh in order to process the<\/p>\n","protected":false},"author":3,"featured_media":12474,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,1207,72,34],"tags":[4982,1141,4984,3824,4985,4983],"class_list":["post-12471","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-modsecurity","category-monitoring","category-security","tag-integrate-modsecurity-with-wazuh","tag-modsecurity-3","tag-process-modsecurity-logs-using-wazuh","tag-wazuh","tag-wazuh-analyze-modsecurity-logs","tag-wazuh-and-modsecurity","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12471"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12471"}],"version-history":[{"count":2,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12471\/revisions"}],"predecessor-version":[{"id":20554,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12471\/revisions\/20554"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12474"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12471"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}