Don't AuditLog Json format logging to one file in libmodsecurity?

[truman-test]

To save the json format log in libmodsecurity, i know need to set it as follows: SecAuditLogType Parallel
( Parallel configuration is probably the same as setting up Concurrent. )
( https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secauditlogtype )

However, when I set it to SecAuditLogType: Parallel, SecAuditLogStorageDir setting should be set, so can not logging to one file.

So, I set it to SecAuditLogType: Serial to logging in one file.
Serial can not be saved in Json format. Do you plan to support it?

Source Code: https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/audit_log/writer/serial.cc

====

owasp-modsecurity/ModSecurity-nginx#47 (comment)

[zimmerle]

Hi @truman-test,

That is an interesting question. A regular JSON is a self contained document. It demands a clear start and a clear end. For example:

{  
   "modsec":"cool"
}

Example 1. We have: { and }, starting and closing the document.

[  
   {  
      "modsec":"cool"
   }
]

Example 2. We have: [ and ], starting and closing the document.

So, having a single entry in a single file seems fine as it is written in a single shot. To have all the logs in a single JSON is more complicated, as it may demand to use the same techniques that are used on streaming JSON. It could be, for instance, a simple concatenated JSON, but I am afraid that it may not be what you are looking for.

What is the target application that you are interested to use to read those logs?

[truman-test]

Hello @zimmerle ,

I use libmodsecurity to do full logging(Request / Response) on Nginx + HTTPS traffic
( I need a json format full logging single file.)

The logged files are sent to OpenNIDS (ex Suricata, Snort) using tail or socat for security monitoring.

+ HTTPS Traffic Monitoring
Nginx+libmodsecurity (HTTPS Traffic Logging Json format Single File) -> OpenSouceNIDS

So I hope logging is supported as a single file in json format when SecAuditLogType: Serial

[zimmerle]

Hi @truman-test,

Can you provide the links for the documentation with the expected JSON type?

[truman-test]

Hello @zimmerle ,
I want is not special, same as the existing modsecurity2.9 + json type provided by Apache

link : https://gist.github.com/zimmerle/b22660ab33bd6df444fd

ex)
{"transaction": {"time":"03/Jul/2017:14:05:24 +0900","transaction_id":"WVnQlArDGOIAAGaFyOYAAACQ","remote_address":"10.10.10.20","remote_port":51495,"local_address":"10.10.10.30","local_port":80},"request":{"request_line":"POST / HTTP/1.1","headers":{"Host":"http://10.10.10.30/index.html","User-Agent":"curl/7.51.0","Accept":"*/*","Content-Length":"51","Content-Type":"application/x-www-form-urlencoded"},"body":["{1}IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII"]},"response":{"protocol":"HTTP/1.1","status":200,"headers":{"Last-Modified":"Wed, 28 Jun 2017 04:28:36 GMT","ETag":"\"873-552fd9e21cba3\"","Accept-Ranges":"bytes","Content-Length":"2163","Content-Type":"text/html"},"body":"<html><body><h1>It works!</h1></body></html>\n<h2><span style=\"color:red\"; >ModSecurity Test Page <span></h2>\n\na`````````````````````````````````````````````````````````````````````````````"},"audit_data":{}}

[zimmerle]

Closed as part of #1583.

[truman-test]

@victorhora @zimmerle
Thank you
I'll test it and talk again :)

[truman-test]

@victorhora @zimmerle

As a result of testing with patch version, there is no Response body contents.
It seems also need modification :)