Merge pull request #16 from u-s-p/multiline-codec

Multiline codec instead of multiline filter
bitsofinfo · Oct 30, 2015 · 74283e9 · 74283e9
2 parents 128666e + 64b4e79
commit 74283e9
Showing 1 changed file with 11 additions and 14 deletions.
diff --git a/logstash-modsecurity.conf b/logstash-modsecurity.conf
@@ -45,25 +45,22 @@ input {
     charset => "US-ASCII"
     path => "/path/to/your/modsec/audit/logs/*.log"
     type => "mod_security"
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # merge all modsec events for a given entity into the same event.
+    # so essentially the modsec -Z marker is used as the splitter
+    # which is the end of each modsec logical event in the logfile
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    codec => multiline {
+      pattern => "^--[a-fA-F0-9]{8}-Z--$"
+      negate => true
+      what => previous
+    }
   }
 }
 
 filter {
 
-  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-  # merge all modsec events for a given entity into the same event.
-  # so essentially the modsec -A marker is used as the splitter
-  # which is the start of each modsec logical event in the logfile
-  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-  multiline {
-    pattern => "^--[a-fA-F0-9]{8}-Z--$"
-    negate => true
-    what => previous
-    type => "mod_security"
-  }
-
-
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   # Due to the complexity of the collapsed single string
   # we get from multiline and the variance of exactly