Nginx and Modsecurity integration with Wazuh
Mohamed Maslouh
hasitha.u...@wazuh.com
Hi Mohamed,
We have an official blog that explains how to monitor ModSecurity events with Wazuh. You can check it out for detailed guidance.
Analyzing ModSecurity events with Wazuh
Additionally, as you mentioned, if these logs are written to a file, you can monitor them by installing the Wazuh agent on the endpoint where the logs are stored.
Steps to Monitor ModSecurity Events with Wazuh:1. Install the Wazuh AgentFollow the instructions in the Wazuh documentation to install the agent on your system:
Wazuh Agent Installation Guide
After installing the Wazuh agent, you need to configure the log paths in the ossec.conf file.
Open the file using a text editor like nano or vi:
nano /var/ossec/etc/ossec.confAdd the following configuration under the <ossec_config> tags, typically at the bottom of the file:
- <localfile>
- <location>/var/log/modsec_audit.log</location>
- <log_format>syslog</log_format>
- </localfile>
Similarly, configure the Nginx log path in the ossec.conf file if required.
Once the configuration is updated, restart the Wazuh agent to apply the changes:
To check if the logs match existing decoders and rules, use the wazuh-logtest tool:
- Copy a sample log from your file, paste it into the tool after running the command, and press Enter.
- If the logs do not match any default decoders or rules, you’ll need to create custom decoders and rules.
If necessary, refer to the following documentation to create custom decoders and rules:
- Creating Custom Decoders
- Decoder Syntax Guide
- Creating Custom Rules
- Rule Syntax Guide
- Blog: Creating Decoders and Rules from Scratch
If you encounter any issues while creating decoders or rules, feel free to share sample logs from Nginx and ModSecurity. This will help in providing more specific assistance.
Let me know if you need further support on this.
Regards,
Hasitha Upekshitha