Modsec2sguil is a Perl script that feeds ModSecurity alerts to Sguil, the Network Security Monitoring (NSM) system. The 0.7 release works as a drop-in replacement for Snort's barnyard. The new 0.8-devX release currently in testing works as a real agent, but it only supports Sguil 0.8.0.

There is some documentation in the tarball. Modsec2sguil is Open Source under the GPLv2 license. It was written by Victor Julien, but also contains some code copyrighted by Ivan Ristic.

For news, please check my blog at


Screenshot of Sguil 0.7.0-CVS with a ModSecurity alert.



Development Releases (for Sguil 0.7-CVS)



Modsec2sguil on github


Version 0.8-dev7 March 26th, 2008

- Update protocol string to reflect Sguil 0.7.0 stable release

- Support ModSecurity 2.5.x, thanks for the addition Ryan Cummings

Version 0.8-dev6 September 18th, 2007

- Catch errors in syslog so they will be non-fatal.

- Fix broken syslog level.

Version 0.8-dev5 August 19th, 2007

- Add syslog logging.

- Add option to log all transactions, not just alerts.

Version 0.8-dev4 August 16th, 2007

- Fix a bug where the agent would exit if the connection to the server was lost.

Version 0.8-dev3 August 16th, 2007

- Make sure alerts get prio 1-4, non-alerts prio 5.

- Clean up rtgenevent function.

- Fix rule id being part of the event.

- Add option to send all http events to Sguil, even non-alerts.

Version 0.8-dev2 August 14th, 2007

- Fix missing RUNAS van causing a error message.

- Add an option IGNORE_HTTP_CODES to the config, to optionally no treat certain codes as alerts, and thus not send them to Sguil.

- Fix PINGs sending duplicate \r\n

Version 0.8-dev1 August 13th, 2007

- Converted into a real agent for Sguil 0.7 (no more barnyard replacement)

- Agent can drop privileges

- Agent can daemonize

- Pinging the server is supported

- The agent reconnects to the server if the connection is lost

- Agent supports SSL for the connection to the server

- A sguil-compatible configuration file is now used

- A debug mode was added

Version 0.7 March 18th, 2007

- add support for ModSecurity 2.x alerts.

- fix wrong severity to prio conversion.

Last updated: March 26th, 2008.