Re: [mod-security-users] Modsecurity Nginx: Audit log not being populated
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Modsecurity Nginx: Audit log not being populated
|
From: Christian V. <cv...@it...> - 2020-02-18 15:08:46
|
Sorry the delay, thanks 😊 this worked! Cheers! Chris. > El 12-02-2020, a la(s) 10:00, Christian Folini <chr...@ne...> escribió: > > Actually, the problem has been reported before. There is working fix that is > making it's way into the master src code tree as we speak. > > https://github.com/SpiderLabs/ModSecurity-nginx/issues/170 > > >> On Wed, Feb 12, 2020 at 10:50:38AM +0100, Christian Folini wrote: >> Hey guys, >> >> the configuration looks correct. Normally the file permissions can pose >> a problem. However, the fact that DetectionOnly makes it functional points to >> a ModSec bug, which you may want to report on github. >> >> The ModSec devs are hardly active on this ML, but they are usually quick to >> react on github issues. >> >> Please keep us posted. >> >> Christian >> >>> On Wed, Feb 12, 2020 at 09:49:02AM +0100, Peter Kreuser wrote: >>> Let me add a "me too"! >>> >>> nginx 1.17.x >>> >>> Am 2020-02-11 20:05, schrieb Christian Varas: >>>> Hello, I’ve conpiled a nginx and Modsecurity today, every works fine >>>> except the audit log. The audit log is not being populated, the >>>> attacks are logged only in the error log but not in the audit log. >>>> If I change modsecurity to “DetectionOnly” the audit logs start to >>>> being populated but if I set modsecurity in “On” the audit log does >>>> not work… >>>> This is my setup: >>>> >>>> nginx version: 1.15.8.1 >>>> Modsecurity: branch v3/Master from GitHub >>>> >>>> I have this lines to log the transactions: >>>> >>>> SecRuleEngine On >>>> SecDefaultAction "phase:1,log,auditlog,deny,status:403" >>>> SecDefaultAction "phase:2,log,auditlog,deny,status:403" >>>> >>>> >>>> SecAuditLogDirMode 1733 >>>> SecAuditLogFileMode 0550 >>>> SecAuditLogFormat JSON >>>> SecAuditEngine RelevantOnly >>>> SecAuditLogRelevantStatus "^(?:5|4)” >>>> SecAuditLogParts ABCHIZ >>>> SecAuditLogType Serial >>>> SecAuditLog /opt/waf/nginx/var/log/nnoc.vtr.cl/nnoc.vtr.cl_audit.log >>>> >>>> >>>> >>>> Maybe I need to fix my configuration ? >>>> Does anybody else is experimenting the same ? >>>> >>>> Thanks in advanced. >>>> Cheers. >>>> Chris. >>>> >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
