Feeding ModSecurity Alerts into Sguil
Setup a Sguil sensor_agent with a unique sensorname. Disable all Snort specific options like sessions, sancp, portscans. Start it and make sure you see it online in the Sguil Client.
The following asumes your Apache logs to /var/log/apache2/ and that ModSecurity concurrent logging will log to /var/log/apache2/audit_log/data/
Step 1. Create the directory /var/log/apache2/audit_log/data/queue
Step 2. Put this in your Apache configuration:
SecAuditLog "|/path/to/modsec_queue.pl /var/log/apache2/audit_log/data/ /var/log/apache2/audit_log/index"
Step 3. Restart apache. You should see symbolic links appear in the queue directoy. Depending on your setup they might appear on simple webserver visits or you might have to run a tool like nikto to trigger events.
Putting it together
Next, use modsec_by.pl to connect to Sguil. It is run as follows:
modsec_by.pl -n <sensorname> -l /var/log/apache2/audit_log/data/queue/
The script enters an endless loop in which it will continuesly check for new alert files in the queue dir. Press Ctrl-C to kill it.