Re: [mod-security-users] Modsecurity 3 logging issues
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Modsecurity 3 logging issues
|
From: William C. <wil...@mu...> - 2018-07-13 20:00:33
|
I had a similar issue with yajl and ModSec 3.0.2. To work around, I pointed to our local build of it directly, for example --with-yajl=<full path to where ever>/yajl But there is also an issue that YAJL_LDFLAGS is not used when it builds test dir. Work around is unwind <full path to where ever>/yajl/lib into (CentOS) /lib64). Hope that helps - Jay On Fri, Jul 13, 2018 at 12:08 PM, Dino Edwards < din...@my...> wrote: > I can’t get it to compile with the following switch: > > > > --with-yajl > > > > I get the following error: > > > > ./configure: error: invalid option "--with-yajl > > > > According to the article below, JSON support is already built-in and > switching to concurrent should use JSON by default. It also says that > SecAuditLogFormat is not supported. > > > > > > https://github.com/SpiderLabs/ModSecurity/issues/1483 > > > > Am I missing something here? > > > > Thanks > > > > > > > > *From:* Victor Hora [mailto:vic...@gm...] > *Sent:* Thursday, July 12, 2018 4:46 PM > *To:* mod...@li... > *Subject:* Re: [mod-security-users] Modsecurity 3 logging issues > > > > Yes, you need JSON support for saving logs in JSON format. JSON support is > provided through the YAJL library, if the lib is installed on your system > the configure script should automatically enable JSON support for you. > > > > Depending on your distro the packages are usually named "yajl" and > "yajl-devel" or "libyajl" and "libyajl-devel". You could also use the > "--with-yajl" option to specify a local/manual installation of YAJL. > > See compilation recipes for more info: https://github.com/ > SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x > > > > You need to specify the "SecAuditLogFormat" directive to "JSON". It > defaults to the native non-JSON format if you don't manually specify it. > > Also, if I remember correctly, you also need to specify the SecAuditLog > directive to where the index of your Audit logs will be saved when using > "Concurrent" logging. > > > > > > > > On Wed, Jul 11, 2018 at 5:37 PM Dino Edwards < > din...@my...> wrote: > > I’m trying to get modsecurity to start logging audit events in JSON format > so that I can import to ELK but I cannot get it to work. Here’s the > relevant config: > > > > SecAuditEngine on > > SecAuditLogRelevantStatus "^[0-9]+" > > SecAuditLogParts ABIJDEFHZ > > SecAuditLogType concurrent > > #SecAuditLog /var/log/modsec_audit.log > > SecAuditLogStorageDir /usr/local/nginx/logs/modsecurity/domain.tld > > > > After I reload nginx I don’t see any files being generated in the > /usr/local/nginx/logs/modsecurity/domain.tld directory. > > > > Can someone help point me in the right direction? Do I need to compile > modsecurity with JSON support? If so, how would I go about doing that? I > was under the impression that using SecAuditLogType concurrent would take > care of it. > > > > Thanks in advance > > > > > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot______ > _________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > > -- > > - > Victor Ribeiro Hora > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
