Thread: [mod-security-users] Modsecurity Nginx: Audit log not being populated
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Christian V. <cv...@it...> - 2020-02-11 19:31:05
Attachments:
signature.asc
|
Hello, I’ve conpiled a nginx and Modsecurity today, every works fine except the audit log. The audit log is not being populated, the attacks are logged only in the error log but not in the audit log. If I change modsecurity to “DetectionOnly” the audit logs start to being populated but if I set modsecurity in “On” the audit log does not work… This is my setup: nginx version: 1.15.8.1 Modsecurity: branch v3/Master from GitHub I have this lines to log the transactions: SecRuleEngine On SecDefaultAction "phase:1,log,auditlog,deny,status:403" SecDefaultAction "phase:2,log,auditlog,deny,status:403" SecAuditLogDirMode 1733 SecAuditLogFileMode 0550 SecAuditLogFormat JSON SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4)” SecAuditLogParts ABCHIZ SecAuditLogType Serial SecAuditLog /opt/waf/nginx/var/log/nnoc.vtr.cl/nnoc.vtr.cl_audit.log Maybe I need to fix my configuration ? Does anybody else is experimenting the same ? Thanks in advanced. Cheers. Chris. |
|
From: Peter K. <pe...@kr...> - 2020-02-12 09:41:02
|
Let me add a "me too"! nginx 1.17.x Am 2020-02-11 20:05, schrieb Christian Varas: > Hello, I’ve conpiled a nginx and Modsecurity today, every works fine > except the audit log. The audit log is not being populated, the > attacks are logged only in the error log but not in the audit log. > If I change modsecurity to “DetectionOnly” the audit logs start to > being populated but if I set modsecurity in “On” the audit log does > not work… > This is my setup: > > nginx version: 1.15.8.1 > Modsecurity: branch v3/Master from GitHub > > I have this lines to log the transactions: > > SecRuleEngine On > SecDefaultAction "phase:1,log,auditlog,deny,status:403" > SecDefaultAction "phase:2,log,auditlog,deny,status:403" > > > SecAuditLogDirMode 1733 > SecAuditLogFileMode 0550 > SecAuditLogFormat JSON > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4)” > SecAuditLogParts ABCHIZ > SecAuditLogType Serial > SecAuditLog /opt/waf/nginx/var/log/nnoc.vtr.cl/nnoc.vtr.cl_audit.log > > > > Maybe I need to fix my configuration ? > Does anybody else is experimenting the same ? > > Thanks in advanced. > Cheers. > Chris. > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2020-02-12 09:50:54
|
Hey guys, the configuration looks correct. Normally the file permissions can pose a problem. However, the fact that DetectionOnly makes it functional points to a ModSec bug, which you may want to report on github. The ModSec devs are hardly active on this ML, but they are usually quick to react on github issues. Please keep us posted. Christian On Wed, Feb 12, 2020 at 09:49:02AM +0100, Peter Kreuser wrote: > Let me add a "me too"! > > nginx 1.17.x > > Am 2020-02-11 20:05, schrieb Christian Varas: > > Hello, I’ve conpiled a nginx and Modsecurity today, every works fine > > except the audit log. The audit log is not being populated, the > > attacks are logged only in the error log but not in the audit log. > > If I change modsecurity to “DetectionOnly” the audit logs start to > > being populated but if I set modsecurity in “On” the audit log does > > not work… > > This is my setup: > > > > nginx version: 1.15.8.1 > > Modsecurity: branch v3/Master from GitHub > > > > I have this lines to log the transactions: > > > > SecRuleEngine On > > SecDefaultAction "phase:1,log,auditlog,deny,status:403" > > SecDefaultAction "phase:2,log,auditlog,deny,status:403" > > > > > > SecAuditLogDirMode 1733 > > SecAuditLogFileMode 0550 > > SecAuditLogFormat JSON > > SecAuditEngine RelevantOnly > > SecAuditLogRelevantStatus "^(?:5|4)” > > SecAuditLogParts ABCHIZ > > SecAuditLogType Serial > > SecAuditLog /opt/waf/nginx/var/log/nnoc.vtr.cl/nnoc.vtr.cl_audit.log > > > > > > > > Maybe I need to fix my configuration ? > > Does anybody else is experimenting the same ? > > > > Thanks in advanced. > > Cheers. > > Chris. > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2020-02-12 12:58:17
|
Actually, the problem has been reported before. There is working fix that is making it's way into the master src code tree as we speak. https://github.com/SpiderLabs/ModSecurity-nginx/issues/170 On Wed, Feb 12, 2020 at 10:50:38AM +0100, Christian Folini wrote: > Hey guys, > > the configuration looks correct. Normally the file permissions can pose > a problem. However, the fact that DetectionOnly makes it functional points to > a ModSec bug, which you may want to report on github. > > The ModSec devs are hardly active on this ML, but they are usually quick to > react on github issues. > > Please keep us posted. > > Christian > > On Wed, Feb 12, 2020 at 09:49:02AM +0100, Peter Kreuser wrote: > > Let me add a "me too"! > > > > nginx 1.17.x > > > > Am 2020-02-11 20:05, schrieb Christian Varas: > > > Hello, I’ve conpiled a nginx and Modsecurity today, every works fine > > > except the audit log. The audit log is not being populated, the > > > attacks are logged only in the error log but not in the audit log. > > > If I change modsecurity to “DetectionOnly” the audit logs start to > > > being populated but if I set modsecurity in “On” the audit log does > > > not work… > > > This is my setup: > > > > > > nginx version: 1.15.8.1 > > > Modsecurity: branch v3/Master from GitHub > > > > > > I have this lines to log the transactions: > > > > > > SecRuleEngine On > > > SecDefaultAction "phase:1,log,auditlog,deny,status:403" > > > SecDefaultAction "phase:2,log,auditlog,deny,status:403" > > > > > > > > > SecAuditLogDirMode 1733 > > > SecAuditLogFileMode 0550 > > > SecAuditLogFormat JSON > > > SecAuditEngine RelevantOnly > > > SecAuditLogRelevantStatus "^(?:5|4)” > > > SecAuditLogParts ABCHIZ > > > SecAuditLogType Serial > > > SecAuditLog /opt/waf/nginx/var/log/nnoc.vtr.cl/nnoc.vtr.cl_audit.log > > > > > > > > > > > > Maybe I need to fix my configuration ? > > > Does anybody else is experimenting the same ? > > > > > > Thanks in advanced. > > > Cheers. > > > Chris. > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian V. <cv...@it...> - 2020-02-18 15:08:46
|
Sorry the delay, thanks 😊 this worked! Cheers! Chris. > El 12-02-2020, a la(s) 10:00, Christian Folini <chr...@ne...> escribió: > > Actually, the problem has been reported before. There is working fix that is > making it's way into the master src code tree as we speak. > > https://github.com/SpiderLabs/ModSecurity-nginx/issues/170 > > >> On Wed, Feb 12, 2020 at 10:50:38AM +0100, Christian Folini wrote: >> Hey guys, >> >> the configuration looks correct. Normally the file permissions can pose >> a problem. However, the fact that DetectionOnly makes it functional points to >> a ModSec bug, which you may want to report on github. >> >> The ModSec devs are hardly active on this ML, but they are usually quick to >> react on github issues. >> >> Please keep us posted. >> >> Christian >> >>> On Wed, Feb 12, 2020 at 09:49:02AM +0100, Peter Kreuser wrote: >>> Let me add a "me too"! >>> >>> nginx 1.17.x >>> >>> Am 2020-02-11 20:05, schrieb Christian Varas: >>>> Hello, I’ve conpiled a nginx and Modsecurity today, every works fine >>>> except the audit log. The audit log is not being populated, the >>>> attacks are logged only in the error log but not in the audit log. >>>> If I change modsecurity to “DetectionOnly” the audit logs start to >>>> being populated but if I set modsecurity in “On” the audit log does >>>> not work… >>>> This is my setup: >>>> >>>> nginx version: 1.15.8.1 >>>> Modsecurity: branch v3/Master from GitHub >>>> >>>> I have this lines to log the transactions: >>>> >>>> SecRuleEngine On >>>> SecDefaultAction "phase:1,log,auditlog,deny,status:403" >>>> SecDefaultAction "phase:2,log,auditlog,deny,status:403" >>>> >>>> >>>> SecAuditLogDirMode 1733 >>>> SecAuditLogFileMode 0550 >>>> SecAuditLogFormat JSON >>>> SecAuditEngine RelevantOnly >>>> SecAuditLogRelevantStatus "^(?:5|4)” >>>> SecAuditLogParts ABCHIZ >>>> SecAuditLogType Serial >>>> SecAuditLog /opt/waf/nginx/var/log/nnoc.vtr.cl/nnoc.vtr.cl_audit.log >>>> >>>> >>>> >>>> Maybe I need to fix my configuration ? >>>> Does anybody else is experimenting the same ? >>>> >>>> Thanks in advanced. >>>> Cheers. >>>> Chris. >>>> >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X