I use Splunk (https://www.splunk.com) to collect log files. I can then set up alerts based on those. Don't alert on everything (agree with Cosimo on that!) but have a dashboard of web server healthiness (of which ModSecurity alerts is one measure) and individual alerts for some rules/URLs that are sensitive and I want to know about alerts for. Splunk is quite nice to drill down into things (it's basically a massive Grep tool in a web front end with dashboarding and alerting).
Really only use Apache error files rather than ModSecurity audit logs since they are structured to be parsed easier, so sometimes then have to look at Audit log for details but sufficient to raise the alert in first place. This has the nice side effective of not slowing down the webserver or ModSecurity processing as run as a separate instance on a separate server and only the Splunk forwarded runs on the webserver. Thanks, Barry > On 21 Oct 2016, at 16:27, Christian Folini <christian.fol...@netnea.com> > wrote: > > Dear Ilyass, > > I spent half of the day thinking about what to respond to you. > The other message covered the tools to use, but how about the > integration? > > There is no documentation on how to pull this off in ModSecurity > in a clean way AFAIK and I think you should integrate it > yourself. Personally, I recommend going back to the classic > exposé of Marcus Ranum about "artificial ignorance". > And from there, make your way to logpp and SEC. > > A primer on ModSecurity alerting sits on my todo list for future > tutorials once the 12 part series at > https://www.netnea.com/cms/aapche-tutorials is finished. But > this todo list is a crowded place, I am afraid. So don't wait for it. > > Ahoj, > > Christian > > >> On Fri, Oct 21, 2016 at 09:50:35AM +0100, Ilyass Kaouam wrote: >> Hello guys. >> >> How can I configure modsecurity to send an e-mail when match some rule? I >> want something "global", for all rules. >> >> >> Thanks >> >> >> -- >> *Ilyass kaouam* >> *Systems administrator* >> *European Masters in Information Technology* > >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- > https://www.feistyduck.com/training/modsecurity-training-course > mailto:christian.fol...@netnea.com > twitter: @ChrFolini > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
