# fluent-plugin-modsecurity
fluentd plugin for modsecurity log. Enable modsecurity audit log 2 to export nginx access log like block log. Detail log path included in audit log2. Read and combine the detail log record by this plugin.
[](https://travis-ci.org/kaija/fluent-plugin-modsecurity)
## Build / Install
```
#self build and install
gem build fluent-plugin-modsecurity.gemspec
sudo td-agent-gem install fluent-plugin-modsecurity-0.1.2.gem
or
#install from public rubygems
sudo td-agent-gem install fluent-plugin-modsecurity
```
## modsecurity setting
```
SecAuditLogType Parallel
#setup modsecurity audit log 2
SecAuditLog2 /var/log/modsec/audit.log
#set detail audit log storage dir
SecAuditLogStorageDir /var/log/modsec
#change log file and dir permision for td-agent
SecAuditLogFileMode 0644
SecAuditLogDirMode 0755
```
## td-agent config
```
# (1) Consume the input by tail and tag modsecurity
type tail
tag modsecurity
format /^(?[^ ]*) (?[^ ]*) (?[^ ]*) (?[^ ]*) \[(?[^\]]*)\] "(?\S+)(?: +(?[^\"]*) +\S*)?" (?[^ ]*) (?[^ ]*) "(?.*)$/
time_format %d/%b/%Y:%H:%M:%S %z
pos_file /var/log/td-agent/modsec_audit2.log.pos
path /var/log/modsec/audit.log
# (2) retreive detail log from each record and append back to record
type modsecurity
path_prefix /var/log
# (3) append geoip information (optional)
type geoip
geoip_lookup_key transaction.client_ip
enable_key_country_code geoip_country
enable_key_city geoip_city
enable_key_latitude geoip_lat
enable_key_longitude geoip_lon
remove_tag_prefix test.
add_tag_prefix geoip.
flush_interval 5s
# (3) Output
type elasticsearch
include_tag_key true
log_level info
logstash_format true
logstash_prefix modsecurity_geo
type_name blocked
buffer_chunk_limit 1M
buffer_queue_limit 32
flush_interval 30s
host 192.168.1.2
port 9200
```