Reading in ModSecurity logs using nxlog | Log collection solutions

#1 jason.mull 7 years ago

Inside my nxlog input config, I have my logfile path as /var/log/modsec_audit/*, and I have enabled recursive file lookup, but to this point, no modsecurity logs are being picked up. The same sidecar instance is grabbing apache logs perfectly fine, however. I feel like the issue is related to the directory structure, but I'm not seeing an issue with my config. Any thoughts?

<Input 579d7bd625b5bc05cc7f1614>
Module im_file
File "/var/log/modsec_audit/*"
PollInterval 5
SavePos True
ReadFromLast True
Recursive True
RenameCheck False
Exec $FileName = file_name(); # Send file name with each message
</Input>

Permalink

#2 b0ti Nxlog ✓ 7 years ago

#1 jason.mull

I'm attempting to use nxlog to pull in audit files from ModSecurity the root of the log files reside at /var/log/modsec_audit/. The actual log files are two folders lower, as modsecurity creates the folders that are timestamped by day and then minute. Inside my nxlog input config, I have my logfile path as /var/log/modsec_audit/*, and I have enabled recursive file lookup, but to this point, no modsecurity logs are being picked up. The same sidecar instance is grabbing apache logs perfectly fine, however. I feel like the issue is related to the directory structure, but I'm not seeing an issue with my config. Any thoughts? <Input 579d7bd625b5bc05cc7f1614> Module im_file File "/var/log/modsec_audit/*" PollInterval 5 SavePos True ReadFromLast True Recursive True RenameCheck False Exec $FileName = file_name(); # Send file name with each message </Input>

The config looks ok.

Permission issue perhaps?

Have you tried with "ReadFromLast FALSE" just to see if old logs are picked up?