Re: [mod-security-users] Modsecurity 3 logging issues
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Modsecurity 3 logging issues
|
From: Dino E. <din...@my...> - 2018-07-13 17:09:51
|
I can’t get it to compile with the following switch: --with-yajl I get the following error: ./configure: error: invalid option "--with-yajl According to the article below, JSON support is already built-in and switching to concurrent should use JSON by default. It also says that SecAuditLogFormat is not supported. https://github.com/SpiderLabs/ModSecurity/issues/1483 Am I missing something here? Thanks From: Victor Hora [mailto:vic...@gm...] Sent: Thursday, July 12, 2018 4:46 PM To: mod...@li... Subject: Re: [mod-security-users] Modsecurity 3 logging issues Yes, you need JSON support for saving logs in JSON format. JSON support is provided through the YAJL library, if the lib is installed on your system the configure script should automatically enable JSON support for you. Depending on your distro the packages are usually named "yajl" and "yajl-devel" or "libyajl" and "libyajl-devel". You could also use the "--with-yajl" option to specify a local/manual installation of YAJL. See compilation recipes for more info: https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x You need to specify the "SecAuditLogFormat" directive to "JSON". It defaults to the native non-JSON format if you don't manually specify it. Also, if I remember correctly, you also need to specify the SecAuditLog directive to where the index of your Audit logs will be saved when using "Concurrent" logging. On Wed, Jul 11, 2018 at 5:37 PM Dino Edwards <din...@my...<mailto:din...@my...>> wrote: I’m trying to get modsecurity to start logging audit events in JSON format so that I can import to ELK but I cannot get it to work. Here’s the relevant config: SecAuditEngine on SecAuditLogRelevantStatus "^[0-9]+" SecAuditLogParts ABIJDEFHZ SecAuditLogType concurrent #SecAuditLog /var/log/modsec_audit.log SecAuditLogStorageDir /usr/local/nginx/logs/modsecurity/domain.tld After I reload nginx I don’t see any files being generated in the /usr/local/nginx/logs/modsecurity/domain.tld directory. Can someone help point me in the right direction? Do I need to compile modsecurity with JSON support? If so, how would I go about doing that? I was under the impression that using SecAuditLogType concurrent would take care of it. Thanks in advance ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- - Victor Ribeiro Hora |
