Re: [mod-security-users] Modsecurity 3 logging issues
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Modsecurity 3 logging issues
|
From: Victor H. <vic...@gm...> - 2018-07-13 21:31:16
|
You are probably using an old version of libModSecurity. SecAuditLogFormat should be supported since the commit below from October/2017: https://github.com/SpiderLabs/ModSecurity/commit/63bef3d142b2ae25ed42d344c40729fb5f3d552e You should be running at least the latest official release (3.0.2). But if you are upgrading your version ModSecurity, it's worth noting that the current code on master has a number of recommended fixes that will be getting into the an eventual 3.0.3 release. So please update your codebase, recompile libModSecurity and you it should be fine :) If the issue persists, you're welcome to open an issue on GitHub by providing as much info as possible for further investigation. Thanks. On Fri, Jul 13, 2018 at 1:12 PM Dino Edwards <din...@my...> wrote: > I can’t get it to compile with the following switch: > > > > --with-yajl > > > > I get the following error: > > > > ./configure: error: invalid option "--with-yajl > > > > According to the article below, JSON support is already built-in and > switching to concurrent should use JSON by default. It also says that > SecAuditLogFormat is not supported. > > > > > > https://github.com/SpiderLabs/ModSecurity/issues/1483 > > > > Am I missing something here? > > > > Thanks > > > > > > > > *From:* Victor Hora [mailto:vic...@gm...] > *Sent:* Thursday, July 12, 2018 4:46 PM > *To:* mod...@li... > *Subject:* Re: [mod-security-users] Modsecurity 3 logging issues > > > > Yes, you need JSON support for saving logs in JSON format. JSON support is > provided through the YAJL library, if the lib is installed on your system > the configure script should automatically enable JSON support for you. > > > > Depending on your distro the packages are usually named "yajl" and > "yajl-devel" or "libyajl" and "libyajl-devel". You could also use the > "--with-yajl" option to specify a local/manual installation of YAJL. > > See compilation recipes for more info: > https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x > > > > You need to specify the "SecAuditLogFormat" directive to "JSON". It > defaults to the native non-JSON format if you don't manually specify it. > > Also, if I remember correctly, you also need to specify the SecAuditLog > directive to where the index of your Audit logs will be saved when using > "Concurrent" logging. > > > > > > > > On Wed, Jul 11, 2018 at 5:37 PM Dino Edwards < > din...@my...> wrote: > > I’m trying to get modsecurity to start logging audit events in JSON format > so that I can import to ELK but I cannot get it to work. Here’s the > relevant config: > > > > SecAuditEngine on > > SecAuditLogRelevantStatus "^[0-9]+" > > SecAuditLogParts ABIJDEFHZ > > SecAuditLogType concurrent > > #SecAuditLog /var/log/modsec_audit.log > > SecAuditLogStorageDir /usr/local/nginx/logs/modsecurity/domain.tld > > > > After I reload nginx I don’t see any files being generated in the > /usr/local/nginx/logs/modsecurity/domain.tld directory. > > > > Can someone help point me in the right direction? Do I need to compile > modsecurity with JSON support? If so, how would I go about doing that? I > was under the impression that using SecAuditLogType concurrent would take > care of it. > > > > Thanks in advance > > > > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > > -- > > - > Victor Ribeiro Hora > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- - Victor Ribeiro Hora |
