Re: [mod-security-users] Modsecurity Nginx: Audit log not being populated
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ne...> - 2020-02-12 12:58:17
|
Actually, the problem has been reported before. There is working fix that is making it's way into the master src code tree as we speak. https://github.com/SpiderLabs/ModSecurity-nginx/issues/170 On Wed, Feb 12, 2020 at 10:50:38AM +0100, Christian Folini wrote: > Hey guys, > > the configuration looks correct. Normally the file permissions can pose > a problem. However, the fact that DetectionOnly makes it functional points to > a ModSec bug, which you may want to report on github. > > The ModSec devs are hardly active on this ML, but they are usually quick to > react on github issues. > > Please keep us posted. > > Christian > > On Wed, Feb 12, 2020 at 09:49:02AM +0100, Peter Kreuser wrote: > > Let me add a "me too"! > > > > nginx 1.17.x > > > > Am 2020-02-11 20:05, schrieb Christian Varas: > > > Hello, I’ve conpiled a nginx and Modsecurity today, every works fine > > > except the audit log. The audit log is not being populated, the > > > attacks are logged only in the error log but not in the audit log. > > > If I change modsecurity to “DetectionOnly” the audit logs start to > > > being populated but if I set modsecurity in “On” the audit log does > > > not work… > > > This is my setup: > > > > > > nginx version: 1.15.8.1 > > > Modsecurity: branch v3/Master from GitHub > > > > > > I have this lines to log the transactions: > > > > > > SecRuleEngine On > > > SecDefaultAction "phase:1,log,auditlog,deny,status:403" > > > SecDefaultAction "phase:2,log,auditlog,deny,status:403" > > > > > > > > > SecAuditLogDirMode 1733 > > > SecAuditLogFileMode 0550 > > > SecAuditLogFormat JSON > > > SecAuditEngine RelevantOnly > > > SecAuditLogRelevantStatus "^(?:5|4)” > > > SecAuditLogParts ABCHIZ > > > SecAuditLogType Serial > > > SecAuditLog /opt/waf/nginx/var/log/nnoc.vtr.cl/nnoc.vtr.cl_audit.log > > > > > > > > > > > > Maybe I need to fix my configuration ? > > > Does anybody else is experimenting the same ? > > > > > > Thanks in advanced. > > > Cheers. > > > Chris. > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |