Mod Security2 Apps for Splunk

Hai, I'm back.
today I will explain how to make an applications for Splunk, as an example I will used mod security2 ( because I cannot find apps for this -_-! so lets make it by your self ).
this is the example after I build my own apps for mod security2.


Next, First step. 1) We will make apps template provide by Splunk
Login to Splunk and go to

Manager-Apps-create apps
look like the image below

Fill the empty field like the image above, or you can put everything you want

2) After the template has been created, you should preparing the tools
go to /opt/splunk/etc/apps

[root@localhost ~]# cd /opt/splunk/etc/apps
[root@localhost apps]# cd mod_security2/default
[root@localhost default]#  touch {indexes.conf,inputs.conf,props.conf,savedsearches.conf,transforms.conf}

here we have 5 files, for configuration, you can find the explanation for each files at
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Whatsinthismanual
and type on the"search" :-)
indexes.conf
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.2.4
# Creates a sample index for sample data.

[modsec]
homePath   = $SPLUNK_DB/modsec/db
coldPath   = $SPLUNK_DB/modsec/colddb
thawedPath = $SPLUNK_DB/modsec/thaweddb


inputs.conf
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.2.4
# Creates an input for sample data.

[monitor:///var/log/httpd/modsec_audit.log]
index=modsec
source=mod_security
sourcetype=modsec


props.conf
[modsec]
TRUNCATE = 0 
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = (--[a-z0-9]+-A--)
REPORT-get = get
REPORT-post = post
REPORT-severity = severity
REPORT-msg = msg
REPORT-error = error
REPORT-ipsrc = ipsrc
REPORT-tagid = tagid


savedsearches.conf
[default]
disabled = 0

[All Status]
enableSched = 0
search = index=modsec sourcetype="modsec" sev_stat="*" tagid_stat="*" ipsrc_stat="*" msg_stat="*"
dispatch.earliest_time = -4d
vsid = *:guuvw49b

[Severity Status]
enableSched = 0
search =  index=modsec sourcetype="modsec" | top  sev_stat limit=1000
dispatch.earliest_time = -7d@d
vsid = *:guuvw49b

[HTTP/GET Status]
enableSched = 0
search =  index=modsec sourcetype="modsec" | top  ms_get limit=1000
dispatch.earliest_time = -7d@d
vsid = *:guuvw49b

[HTTP/POST Status]
enableSched = 0
search =  index=modsec sourcetype="modsec" | top  ms_post limit=1000
dispatch.earliest_time = -7d@d
vsid = *:guuvw49b

[HTTP Error Status]
enableSched = 0
search =  index=modsec sourcetype="modsec" | top  error_stat limit=1000
dispatch.earliest_time = -7d@d
vsid = *:guuvw49b

[Vulnerability Message]
enableSched = 0
search =  index=modsec sourcetype="modsec" | top  msg_stat limit=1000
dispatch.earliest_time = -7d@d
vsid = *:guuvw49b

[IP Source Status]
enableSched = 0
search =  index=modsec sourcetype="modsec" | top  ipsrc_stat limit=1000
dispatch.earliest_time = -7d@d
vsid = *:guuvw49b

[Vulnerability Status]
enableSched = 0
search =  index=modsec sourcetype="modsec" | top  tagid_stat limit=1000
dispatch.earliest_time = -7d@d
vsid = *:guuvw49b

[HTTP Error Message]
action.email.reportServerEnabled = 0
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = now
displayview = report_builder_display
request.ui_dispatch_view = report_builder_display
search = index=modsec sourcetype="modsec" | top error_stat limit="100"
vsid = *:gv3j8amu


transforms.conf
[get]
REGEX = (GET.+?)$
FORMAT = ms_get::$1

[post]
REGEX = (POST.+?)$
FORMAT = ms_post::$1

[severity]
REGEX = (severity)."(.+?)"\]
FORMAT = sev_stat::$2

[msg]
REGEX = \[(msg)."(.+?)"\]
FORMAT = msg_stat::$2

[error]
REGEX = (HTTP/....[45]0[0-5]\s\w{1,}.*)
FORMAT = error_stat::$1

[ipsrc]
REGEX = 0\]\s{1}\w{1,}\s{1}(\d+\.\d+\.\d+\.\d+)?
FORMAT = ipsrc_stat::$1

[tagid]
REGEX = tag\s"(\w{1,}.+?)"\]
FORMAT = tagid_stat::$1


3) Modify the navigation menus

[root@localhost default]# vim ../local/data/ui/nav/default.xml

modify this

        
        
             
        
    

became this

        
             
        
        
             
             
             
             
             
             
             
        
        
             
             
             
        
    


4) touch /opt/splunk/etc/apps/mod_security2/local/viewstates.conf if that file not there.
fill with this
[*:guuvw49b]
AxisScaleFormatter_0_9_0.default = ""
ChartTypeFormatter_0_4_0.default = bar
Count_0_3_0.default = 10
DataOverlay_0_5_0.dataOverlayMode = none
DataOverlay_0_5_0.default = none
FlashChart_0_4_1.height = 300px
LegendFormatter_0_10_0.default = top
LineMarkerFormatter_0_7_0.default = false
NullValueFormatter_0_9_0.default = gaps
SplitModeFormatter_0_8_0.default = false
StackModeFormatter_0_7_0.default = default
XAxisTitleFormatter_0_6_1.default = tagid_stat
YAxisRangeMaximumFormatter_0_8_0.default = ""
YAxisRangeMinimumFormatter_0_7_0.default = ""
YAxisTitleFormatter_0_6_2.default = Frequency

[*:gv3fqc6l]
AxisScaleFormatter_0_9_0.default = ""
ChartTypeFormatter_0_4_0.default = area
Count_0_3_0.default = 10
DataOverlay_0_5_0.dataOverlayMode = none
DataOverlay_0_5_0.default = none
FlashChart_0_4_1.height = 300px
LegendFormatter_0_10_0.default = top
LineMarkerFormatter_0_7_0.default = false
NullValueFormatter_0_9_0.default = gaps
SplitModeFormatter_0_8_0.default = false
StackModeFormatter_0_7_0.default = default
XAxisTitleFormatter_0_6_1.default = time
YAxisRangeMaximumFormatter_0_8_0.default = ""
YAxisRangeMinimumFormatter_0_7_0.default = ""
YAxisTitleFormatter_0_6_2.default = count of events

[*:gv3j8amu]
AxisScaleFormatter_0_9_0.default = ""
ChartTitleFormatter_0_6_0.default = HTTP Error Message
ChartTypeFormatter_0_4_0.default = pie
Count_0_3_0.default = 10
DataOverlay_0_5_0.dataOverlayMode = none
DataOverlay_0_5_0.default = none
FlashChart_0_4_1.height = 300px
LegendFormatter_0_10_0.default = right
LineMarkerFormatter_0_7_0.default = false
NullValueFormatter_0_9_0.default = gaps
SplitModeFormatter_0_8_0.default = false
StackModeFormatter_0_7_0.default = default
XAxisTitleFormatter_0_6_1.default = error_stat
YAxisRangeMaximumFormatter_0_8_0.default = ""
YAxisRangeMinimumFormatter_0_7_0.default = ""
YAxisTitleFormatter_0_6_2.default = Frequency


5) Restart Splunk services
[root@localhost ~]# /opt/splunk/bin/splunk restart


6) Login to Splunk again, and try to accessing your mod security apss.


Comments