{
  "name": "modsecurity",
  "title": "ModSecurity Audit",
  "version": "1.23.0",
  "release": "ga",
  "description": "Collect logs from ModSecurity with Elastic Agent",
  "type": "integration",
  "download": "/epr/modsecurity/modsecurity-1.23.0.zip",
  "path": "/package/modsecurity/1.23.0",
  "icons": [
    {
      "src": "/img/modsec.svg",
      "path": "/package/modsecurity/1.23.0/img/modsec.svg",
      "title": "ModSecurity",
      "size": "32x32",
      "type": "image/svg+xml"
    }
  ],
  "conditions": {
    "kibana": {
      "version": "^8.11.0 || ^9.0.0"
    }
  },
  "owner": {
    "type": "community",
    "github": "elastic/integration-experience"
  },
  "categories": [
    "security",
    "network",
    "web_application_firewall"
  ],
  "signature_path": "/epr/modsecurity/modsecurity-1.23.0.zip.sig",
  "format_version": "3.0.3",
  "readme": "/package/modsecurity/1.23.0/docs/README.md",
  "license": "basic",
  "assets": [
    "/package/modsecurity/1.23.0/LICENSE.txt",
    "/package/modsecurity/1.23.0/changelog.yml",
    "/package/modsecurity/1.23.0/manifest.yml",
    "/package/modsecurity/1.23.0/validation.yml",
    "/package/modsecurity/1.23.0/docs/README.md",
    "/package/modsecurity/1.23.0/img/modsec.svg",
    "/package/modsecurity/1.23.0/kibana/tags.yml",
    "/package/modsecurity/1.23.0/data_stream/auditlog/manifest.yml",
    "/package/modsecurity/1.23.0/data_stream/auditlog/sample_event.json",
    "/package/modsecurity/1.23.0/docs/knowledge_base/service_info.md",
    "/package/modsecurity/1.23.0/data_stream/auditlog/fields/agent.yml",
    "/package/modsecurity/1.23.0/data_stream/auditlog/fields/base-fields.yml",
    "/package/modsecurity/1.23.0/data_stream/auditlog/fields/ecs.yml",
    "/package/modsecurity/1.23.0/data_stream/auditlog/fields/fields.yml",
    "/package/modsecurity/1.23.0/data_stream/auditlog/agent/stream/stream.yml.hbs",
    "/package/modsecurity/1.23.0/data_stream/auditlog/elasticsearch/ingest_pipeline/apache-modsec.yml",
    "/package/modsecurity/1.23.0/data_stream/auditlog/elasticsearch/ingest_pipeline/default.yml",
    "/package/modsecurity/1.23.0/data_stream/auditlog/elasticsearch/ingest_pipeline/nginx-modsec.yml"
  ],
  "policy_templates": [
    {
      "name": "modsec",
      "title": "ModSecurity audit logs",
      "description": "Collect modsecurity audit logs",
      "inputs": [
        {
          "type": "logfile",
          "title": "Collect logs from modsecurity instances",
          "description": "Collecting modsecurity audit logs"
        }
      ],
      "multiple": true
    }
  ],
  "data_streams": [
    {
      "type": "logs",
      "dataset": "modsecurity.auditlog",
      "title": "Modsecurity Audit Log",
      "release": "experimental",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "logfile",
          "vars": [
            {
              "name": "paths",
              "type": "text",
              "title": "Paths",
              "multi": true,
              "required": true,
              "show_user": true,
              "default": [
                "/var/log/modsec-audit*"
              ]
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "modsec-audit"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "tz_offset",
              "type": "text",
              "title": "Timezone Offset",
              "description": "By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. \"Europe/Amsterdam\"), abbreviated (e.g. \"EST\") or an HH:mm differential (e.g. \"-05:00\") from UTC.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "local"
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "stream.yml.hbs",
          "title": "Modsecurity Audit Log",
          "description": "Collect modsecurity audit logs",
          "enabled": true,
          "ingestion_method": "File"
        }
      ],
      "package": "modsecurity",
      "path": "auditlog"
    }
  ]
}