Re: [mod-security-users] JSON logging with V3RC1
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] JSON logging with V3RC1
|
From: Phil D. <ux...@sp...> - 2017-11-09 13:49:22
|
Hi Felipe, I have enabled debug at level 9 at it is reporting: [9] JSON parser initialization [9] yajl JSON parsing callback initialization [4] Initializing transaction [4] Transaction context created. [4] Starting phase CONNECTION. (SecRules 0) [9] This phase consists of 42 rule(s). [4] Starting phase URI. (SecRules 0 + 1/2) [4] Starting phase REQUEST_HEADERS. (SecRules 1) [9] This phase consists of 667 rule(s). [4] (Rule: 999999) Executing operator "GeoLookup" with param "" against REMOTE_ADDR. [9] Target value: "X.X.X.X" (Variable: REMOTE_ADDR) [9] Matched vars updated. [4] Running [independent] (non-disruptive) action: msg [9] Saving msg: Block access to WP login [4] Rule returned 1. [4] Executing chained rule. [9] Matched vars cleaned. [9] JSON: Cleaning up JSON results Even with a test rule nothing is being logged at all :( Thanks - Phil ----- On 9 Nov, 2017, at 12:56, Felipe Costa <FC...@tr...> wrote: > Hi Phil, > The debug logs can be activated by the utilization of SecDebugLog and > SecDebugLogLevel configuration directives: > - SecDebugLog - [ > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDebugLog | > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDebugLog ] > - SecDebugLogLevel - [ > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secdebugloglevel > | > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secdebugloglevel > ] > From your previous email I've notice that you were trying to enable the debug > logs via ctl action, which is not supported on v3. > Br., > Felipe “ Zimmerle” Costa > Security Researcher, Lead Developer ModSecurity. > Trustwave | SMART SECURITY ON DEMAND > [ http://www.trustwave.com/ | www.trustwave.com ] > From: Phil Daws <ux...@sp...> > Sent: Thursday, November 9, 2017 9:50:53 AM > To: Felipe Costa > Cc: mod-security-users > Subject: Re: JSON logging with V3RC1 > Good morning Felipe, > I have gone back to square one with a simple modsecurity.conf plus have added > Atomicorp WAF rules which am pretty confident would generate some alert > messages. Here is the conf: > SecRuleEngine on > SecRequestBodyAccess On > SecResponseBodyMimeType (null) text/html text/plain text/xml > SecUploadDir /tmp > SecUploadKeepFiles off > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > SecAuditLogType Concurrent > SecAuditLog /var/log/nginx/audit_log > SecAuditLogParts ABIFHZ > SecCookieFormat 0 > SecDataDir /tmp > SecTmpDir /tmp > SecAuditLogStorageDir /var/asl/data/audit > SecRequestBodyLimit 134217728 > SecResponseBodyLimitAction ProcessPartial > SecRequestBodyNoFilesLimit 1048576 > SecAuditLogDirMode 0770 > SecPcreMatchLimit 150000 > SecPcreMatchLimitRecursion 150000 > SecResponseBodyAccess on > SecCollectionTimeout 86400 > SecGeoLookupDb /etc/nginx/GeoLiteCity.dat > No errors are reporting in nginx.log when I restart the service and nothing ever > is being written out to audit_log :( I have ran lsof against the log: > lsof audit_log > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > nginx 7464 root 7w REG 182,761905 0 16991 audit_log > nginx 7465 nginx 7w REG 182,761905 0 16991 audit_log > nginx 7466 nginx 7w REG 182,761905 0 16991 audit_log > nginx 7470 nginx 7w REG 182,761905 0 16991 audit_log > nginx 7472 nginx 7w REG 182,761905 0 16991 audit_log > nginx 7474 nginx 7w REG 182,761905 0 16991 audit_log > and PIDs match the running processes so locking should not be an issue: > ps -fu nginx > nginx 7465 7464 0 11:36 ? 00:00:00 nginx: worker process > nginx 7466 7464 0 11:36 ? 00:00:00 nginx: worker process > nginx 7470 7464 0 11:36 ? 00:00:00 nginx: worker process > nginx 7472 7464 0 11:36 ? 00:00:00 nginx: worker process > nginx 7474 7464 0 11:36 ? 00:00:00 nginx: cache manager process > How may I start to debug this please as would really like to get it working. > Thanks - Phil > ----- On 8 Nov, 2017, at 12:32, Felipe Costa <FC...@tr...> wrote: >> Hi Phil, >> Did you happens to had any kind of crash on your system prior to the log >> generation? I am asking that because that may be related to unreleased locks. >> If not production, try a system reset to make sure that it is not a locking >> problem. Otherwise let me know and we start a debug process. >> Other thing that it is very common on that matter, is SELinux (or any other LSM) >> blocking the file to be written. In that case, if you happens to have the debug >> logs, there will be a entry saying so. Talking about debug logs, do you mind to >> share what you have there? >> Br., >> Felipe “ Zimmerle” Costa >> Security Researcher, Lead Developer ModSecurity. >> Trustwave | SMART SECURITY ON DEMAND >> [ http://www.trustwave.com/ | www.trustwave.com ] >> From: Phil Daws <ux...@sp...> >> Sent: Tuesday, November 7, 2017 6:31:27 PM >> To: mod-security-users >> Subject: [mod-security-users] JSON logging with V3RC1 >> Hello: >> I have compiled Modsecurity v3RC1 with JAML support and included it to NGINX but >> nothing is being logged at all :( He are the details from the configure script: >> ModSecurity - v2.9.0-913-ga2427df2 for Linux >> Mandatory dependencies >> + libInjection ....v2.9.0-913-ga2427df2 >> + SecLang tests ....a2427df2 >> Optional dependencies >> + GeoIP ....found v1.5.0 >> -lGeoIP , -I/usr/include/ >> + LibCURL ....found v7.29.0 >> -lcurl , -DWITH_CURL >> + YAJL ....found v2.0.4 >> -lyajl , -DWITH_YAJL >> + LMDB ....disabled >> + LibXML2 ....found v2.9.1 >> -lxml2 -lz -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2 >> Other Options >> + Test Utilities ....enabled >> + SecDebugLog ....enabled >> + afl fuzzer ....disabled >> + library examples ....enabled >> + Building parser ....disabled >> and the options I am using in modsecurity.conf: >> SecAuditLogType Parallel >> SecAuditLog /var/log/modsecurity/modsecurityaudit.log >> SecAuditLogStorageDir /var/modsecurity/var/audit/ >> SecAuditEngine RelevantOnly >> SecAuditLogRelevantStatus "^(?:5|4(?!04))" >> SecAuditLogParts ABIJDEFHZ >> Are these the correct settings please ? >> Thanks - Phil >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, [ >> http://scanmail.trustwave.com/?c=4062&d=ocGE2sQiop5UZ0oIwyzv4_kSeUL1yHKudY4Nfutwbg&s=5&u=http%3a%2f%2fSlashdot%2eorg%21 >> | >> http://scanmail.trustwave.com/?c=4062&d=vZyC2g1xwgX_tawuuY_zDWUYod7YX16aJ-3G_y7Z4A&s=5&u=http%3a%2f%2fSlashdot%2eorg%21 >> ] [ >> http://scanmail.trustwave.com/?c=4062&d=ocGE2sQiop5UZ0oIwyzv4_kSeUL1yHKuddheeO92ag&s=5&u=http%3a%2f%2fsdm%2elink%2fslashdot >> | >> http://scanmail.trustwave.com/?c=4062&d=vZyC2g1xwgX_tawuuY_zDWUYod7YX16aJ7uV-Srf5A&s=5&u=http%3a%2f%2fsdm%2elink%2fslashdot >> ] >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> [ >> https://scanmail.trustwave.com/?c=4062&d=ocGE2sQiop5UZ0oIwyzv4_kSeUL1yHKuddtZf7xwaw&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users >> | >> https://scanmail.trustwave.com/?c=4062&d=vZyC2g1xwgX_tawuuY_zDWUYod7YX16aJ7iS_nnZ5Q&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users >> ] >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> [ >> http://scanmail.trustwave.com/?c=4062&d=ocGE2sQiop5UZ0oIwyzv4_kSeUL1yHKudYkLK-Ukbw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f >> | >> http://scanmail.trustwave.com/?c=4062&d=vZyC2g1xwgX_tawuuY_zDWUYod7YX16aJ-rAqiCN4Q&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f >> ] >> [ >> http://scanmail.trustwave.com/?c=4062&d=ocGE2sQiop5UZ0oIwyzv4_kSeUL1yHKudYgPeelwOg&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f >> | >> http://scanmail.trustwave.com/?c=4062&d=vZyC2g1xwgX_tawuuY_zDWUYod7YX16aJ-vE-CzZtA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f >> ] |
