From 64b4e79e9afaa6d1193a2b3d8eafdf9039592887 Mon Sep 17 00:00:00 2001
From: "Bremgartner, Lucas" <lucas.bremgartner@united-security-providers.ch>
Date: Thu, 29 Oct 2015 17:51:08 +0100
Subject: [PATCH] Multiline codec instead of multiline filter

Fixes #15

Changed description about the marker used as splitter (not -A anymore).
---
 logstash-modsecurity.conf | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/logstash-modsecurity.conf b/logstash-modsecurity.conf
index a0b287d..c212b4b 100644
--- a/logstash-modsecurity.conf
+++ b/logstash-modsecurity.conf
@@ -45,25 +45,22 @@ input {
     charset => "US-ASCII"
     path => "/path/to/your/modsec/audit/logs/*.log"
     type => "mod_security"
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # merge all modsec events for a given entity into the same event.
+    # so essentially the modsec -Z marker is used as the splitter
+    # which is the end of each modsec logical event in the logfile
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    codec => multiline {
+      pattern => "^--[a-fA-F0-9]{8}-Z--$"
+      negate => true
+      what => previous
+    }
   }
 }
 
 filter {
 
-  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-  # merge all modsec events for a given entity into the same event.
-  # so essentially the modsec -A marker is used as the splitter
-  # which is the start of each modsec logical event in the logfile
-  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-  multiline {
-    pattern => "^--[a-fA-F0-9]{8}-Z--$"
-    negate => true
-    what => previous
-    type => "mod_security"
-  }
-
-
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   # Due to the complexity of the collapsed single string
   # we get from multiline and the variance of exactly