Modsecurity Audit log to wazuh manager

[tienhuyvonguyen]

Is there any recommence in forward Modsecurity Audit log in json format from an agent to wazuh manager? I saw that Wazuh support Json decoder by default but i can't figure out how to implement it to get the Modsecurity audit log into the wazuh manager and visualize it on the dashboard. I attach the modsecurity audit log in json below: {"transaction":{"client_ip":"10.1.0.4","time_stamp":"Sat Jun 15 12:12:40 2024","server_id":"a08d0c6eb6ece1374de508f878dfe6894859c17f","client_port":57090,"host_ip":"10.1.0.5","host_port":80,"unique_id":"171845356027.087146","request":{"method":"GET","http_version":1.1,"uri":"/vulnerabilities/sqli/?id=%27+OR+1%3D1%3B&Submit=Submit","headers":{"Host":"dvwa.test","Connection":"keep-alive","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","Cookie":"PHPSESSID=cjnb1igrvgsvmjo3qblkdkboo3; security=low","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","Referer":"http://dvwa.test/vulnerabilities/sqli/","Accept-Encoding":"gzip, deflate","Accept-Language":"en-US,en;q=0.9"}},"response":{"body":"\u001F?\b","http_code":200,"headers":{"Server":"nginx/1.26.1","Date":"Sat, 15 Jun 2024 12:12:40 GMT","Content-Length":"141","Expires":"Thu, 19 Nov 1981 08:52:00 GMT","Content-Type":"text/html; charset=UTF-8","Connection":"keep-alive","Cache-Control":"no-store, no-cache, must-revalidate","Pragma":"no-cache","Vary":"Accept-Encoding","Content-Encoding":"gzip"}},"producer":{"modsecurity":"ModSecurity v3.0.12 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"DetectionOnly","components":["OWASP_CRS/4.4.0-dev\""]},"messages":[{"message":"SQL Injection Attack Detected via libinjection","details":{"match":"detected SQLi using libinjection.","reference":"v30,9","ruleId":"942100","file":"/etc/nginx/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf","lineNumber":"46","data":"Matched Data: s&1; found within ARGS:id: ' OR 1=1;","severity":"2","ver":"OWASP_CRS/4.4.0-dev","rev":"","tags":["application-multi","language-multi","platform-multi","attack-sqli","paranoia-level/1","OWASP_CRS","capec/1000/152/248/66","PCI/6.5.2"],"maturity":"0","accuracy":"0"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 5)","details":{"match":"Matched \"OperatorGe' with parameter 5' against variableTX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: 5' )","reference":"","ruleId":"949110","file":"/etc/nginx/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"222","data":"","severity":"0","ver":"OWASP_CRS/4.4.0-dev","rev":"","tags":["anomaly-evaluation","OWASP_CRS"],"maturity":"0","accuracy":"0"}}]}}

[W4nde3]

@tienhuyvonguyen Hi,I have the same problem, do you have a solution now?

[tienhuyvonguyen]

@tienhuyvonguyen Hi,I have the same problem, do you have a solution now?

I switch to the normal log format and then write a custom decoder for it. Refer to this conversation: https://groups.google.com/g/wazuh/c/19WsaKGmOCo