mod-security-users

[mod-security-users] libmodsecurity audit log format different from documentation

[Wouter de J. <wou...@dr...>]

Hi,

I'm trying modsecurity together with nginx for the first time. Everything
seems to be working correctly (together with the coreruleset). However
I somehow get an audit log with a slightly different format than everything
I can find online. This makes it quite hard to use with e.g. open source
log parsers.

To identify some differences I found. This is the log header in our audit
logs (with IPs blanked-out):

---iOma3Pk1---A--
[20/Sep/2020:21:00:20 +0200] 160062842027.385932 000.000.00.000 53270 000.000.000.00 443
---iOma3Pk1---B--
...

The differences:
- The section id's are no longer hexadecimal;
- There are more dashes between section ID and A-Z than documented;
- The unique ID (after timestamp) is a float, instead of string ID.

Is this expected behavior? (libmodsecurity 3.0.4, nginx connector 1.0.1, nginx
1.18.0, using the default modsecurity configuration) If so, is there any source
documenting the new format?

Thanks for your time & help!
Wouter

Re: [mod-security-users] libmodsecurity audit log format different from documentation

[Christian F. <chr...@ne...>]

Hey Wouter,

I feel your pain. As with a lot of things libModSecurity3, this is not
documented AFAIK. The unique ID really is kind of annoying on this platform.

Christian


On Wed, Sep 23, 2020 at 11:08:54AM +0000, Wouter de Jong wrote:
> Hi,
> 
> I'm trying modsecurity together with nginx for the first time. Everything
> seems to be working correctly (together with the coreruleset). However
> I somehow get an audit log with a slightly different format than everything
> I can find online. This makes it quite hard to use with e.g. open source
> log parsers.
> 
> To identify some differences I found. This is the log header in our audit
> logs (with IPs blanked-out):
> 
> ---iOma3Pk1---A--
> [20/Sep/2020:21:00:20 +0200] 160062842027.385932 000.000.00.000 53270 000.000.000.00 443
> ---iOma3Pk1---B--
> ...
> 
> The differences:
> - The section id's are no longer hexadecimal;
> - There are more dashes between section ID and A-Z than documented;
> - The unique ID (after timestamp) is a float, instead of string ID.
> 
> Is this expected behavior? (libmodsecurity 3.0.4, nginx connector 1.0.1, nginx
> 1.18.0, using the default modsecurity configuration) If so, is there any source
> documenting the new format?
> 
> Thanks for your time & help!
> Wouter


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/