Error (Hit/Block) Logs in JSON Format #1151
Comments
|
Of course - one could use |
|
Basic callback for reference: func createWAF() coraza.WAF {
waf, err := coraza.NewWAF(
coraza.NewWAFConfig().
WithErrorCallback(logErrorJSON),
)
if err != nil {
log.Fatal(err)
}
return waf
}
type errorLogJSON struct {
File string `json:"file"`
Line int `json:"line"`
ID int `json:"rule_id"`
Revision string `json:"rev"`
Msg string `json:"msg"`
Data string `json:"data"`
SeverityID int `json:"sev_id"`
Severity string `json:"sev"`
Version string `json:"ver"`
Maturity int `json:"mat"`
Accuracy int `json:"acc"`
Client string `json:"client"`
Disruptive bool `json:"disruptive"`
Tags []string `json:"tags"`
Server string `json:"server"`
URI string `json:"uri"`
UniqueID string `json:"unique_id"`
}
func logErrorJSON(mr types.MatchedRule) {
r := mr.Rule()
j, _ := json.Marshal(errorLogJSON{
File: r.File(),
Line: r.Line(),
ID: r.ID(),
Revision: r.Revision(),
Msg: mr.Message(),
Data: mr.Data(),
Severity: r.Severity().String(),
SeverityID: r.Severity().Int(),
Version: r.Version(),
Maturity: r.Maturity(),
Accuracy: r.Accuracy(),
Client: mr.ClientIPAddress(),
Server: mr.ServerIPAddress(),
Disruptive: mr.Disruptive(),
Tags: r.Tags(),
URI: mr.URI(),
UniqueID: mr.TransactionID(),
})
fmt.Println(string(j[:]))
}Results in: |
|
BTW: Looks like the ocsf-auditlog does something similar - https://github.com/corazawaf/coraza/blob/main/internal/auditlog/formats_ocsf.go#L84 |
superstes
changed the title
|
This is normally handled by using the SecAuditLogFormat directive. |
Summary
I have not seen any option in the documentation to change the error/block log format.
JSON format would make sense for many use-cases. Also the audit-logs seem to already support it.
Basic example
It would be nice to get this as json object:
[client \"::ffff:95.214.55.x\"] Coraza: Warning. Host header is a numeric IP address [file \"/etc/coraza-spoa/coreruleset/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"1772\"] [id \"920350\"] [rev \"\"] [msg \"Host header is a numeric IP address\"] [data \"159.69.187.x\"] [severity \"warning\"] [ver \"OWASP_CRS/4.0.0-rc2\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [tag \"PCI/6.5.10\"] [hostname \"::ffff:159.69.187.x\"] [uri \"/\"] [unique_id \"FMPGEMUVBOHBCEMH\"]Motivation
JSON is much easier to parse than the stringified format.
Log systems like Graylog and Grafana-Loki/-Agent can parse JSON natively & performant. That is very convenient - especially as such security-logs are very important to process.
Users could compile coraza with a error-callback, but that is only a workaround and not that easy/clean to implement when using a 'connector' like coraza-spoa
From what I've read into the source - this is where the logs are written: https://github.com/corazawaf/coraza/blob/main/internal/corazarules/rule_match.go#L254
Related to: #856, corazawaf/coraza-caddy#20, corazawaf/coraza-spoa#91, #1150
I'm open to contribute.
The text was updated successfully, but these errors were encountered: