Skip to content

Nginx Modsecurity JSON Format Full Log #1484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bosungs2y opened this issue Jul 4, 2017 · 2 comments
Closed

Nginx Modsecurity JSON Format Full Log #1484

bosungs2y opened this issue Jul 4, 2017 · 2 comments

Comments

@bosungs2y
Copy link

Hello :)
I want to send Nginx Modsecurity Full Log as 10.10.10.10(Manager) in JSON format.
But it works fine in Apache but not in Nginx What is the problem?

Information

  • Nginx(1.11.13)
  • libModSecurity(ver.3)

Want

  1. I want to save SecAuditLog in full log and json format.
  2. I want to send saved logs to the Manger Server using socat.

SecAuditLog "|/usr/bin/socat -b 5301072 - UDP-SENDTO:10.10.10.10:8888" (Error)

  1. The SecAuditLogFormat JSON option is not available

SecAuditLogFormat JSON (Error)

Error Log

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/modsecurity.conf. Line: 18. Column: 71. Invalid input:  SecAuditLog "|/usr/bin/socat -b 5301072 - UDP-SENDTO:10.10.10.10:8888" in /usr/local/nginx/conf/nginx.conf:42

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/modsecurity.conf. Line: 19. Column: 23. Invalid input:  SecAuditLogFormat JSON in /usr/local/nginx/conf/nginx.conf:42

modsecurity.conf

SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecRequestBodyLimit 100000
SecRequestBodyNoFilesLimit 2000
SecRequestBodyInMemoryLimit 100000
SecRequestBodyLimitAction ProcessPartial

SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml null
SecResponseBodyLimit 2000
SecResponseBodyLimitAction ProcessPartial

SecAuditEngine On
SecAuditLogParts ABCFHZ
SecAuditLogType Serial

#SecAuditLog /var/log/modsec_audit.log
SecAuditLog "|/usr/bin/socat -b 5301072 - UDP-SENDTO:10.10.10.10:8888"
SecAuditLogFormat JSON

SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127

Want Apache JSON Log Format

Jul 3 14:05:24 10.195.24.226 {"transaction": {"time":"03/Jul/2017:14:05:24 +0900","transaction_id":"WVnQlArDGOIAAGaFyOYAAACQ","remote_address":"10.10.10.20","remote_port":51495,"local_address":"10.10.10.30","local_port":80},"request":{"request_line":"POST / HTTP/1.1","headers":{"Host":"http://10.10.10.30/index.html","User-Agent":"curl/7.51.0","Accept":"*/*","Content-Length":"51","Content-Type":"application/x-www-form-urlencoded"},"body":["{1}IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII"]},"response":{"protocol":"HTTP/1.1","status":200,"headers":{"Last-Modified":"Wed, 28 Jun 2017 04:28:36 GMT","ETag":"\"873-552fd9e21cba3\"","Accept-Ranges":"bytes","Content-Length":"2163","Content-Type":"text/html"},"body":"<html><body><h1>It works!</h1></body></html>\n<h2><span style=\"color:red\"; >ModSecurity Test Page <span></h2>\n\na`````````````````````````````````````````````````````````````````````````````"},"audit_data":{}}
@victorhora
Copy link
Contributor

SecAuditLogFormat directive is currently not supported on libModSecurity.

As of now, for libModSecurity Serial logging is using the regular log format by default.

But if you want JSON logging you need to switch to Concurrent (aka Parallel) or HTTPS logging type as these are using JSON by default.

@victorhora
Copy link
Contributor

Thanks for your report. I will close this one so we can keep track of this at #1483

@victorhora victorhora mentioned this issue Oct 6, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@victorhora @bosungs2y