Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No error log if noauditlog is set #3180

Open
Rapsody09 opened this issue Jul 8, 2024 · 5 comments
Open

No error log if noauditlog is set #3180

Rapsody09 opened this issue Jul 8, 2024 · 5 comments
Labels
3.x Related to ModSecurity version 3.x bug It is a confirmed bug

Comments

@Rapsody09
Copy link

Describe the bug

The rule like this example below does not log anything at all in error log, I have to activate auditlog instead noauditlog to get log in error log (and also in audit log, but this is not what I want):

SecRule REQUEST_URI "@beginsWith /" "id:1000100,phase:1,log,noauditlog,pass,severity:INFO,logdata:'Test'"

Expected behavior

For every request beginning with / the rule above should log in error log only, and no audit log, but I get no log at all.
I have to active audit log to make the log appear in both error log and audit log, but I so not want any audit log for this rule.

Server (please complete the following information):

  • ModSecurity version (and connector): ModSecurity v3.0.12 with nginx-connector v1.0.3
  • WebServer: nginx/1.24.0
  • OS (and distro): Linux, Debian 11.9

Rule Set (please complete the following information):

  • CRS 3.3.5

Additional context

My log config is configured like this :

     #SecDebugLog /var/log/nginx/error.log
      SecDebugLogLevel 0

      SecAuditEngine RelevantOnly
      SecAuditLogRelevantStatus "^(?:5|4(?!04))"
      SecAuditLogFormat JSON

      SecAuditLogType Serial
      SecAuditLog /var/log/nginx/error.log
@Rapsody09 Rapsody09 added the 3.x Related to ModSecurity version 3.x label Jul 8, 2024
@Rapsody09 Rapsody09 changed the title No error log is noauditlog is set No error log if noauditlog is set Jul 8, 2024
@airween
Copy link
Member

airween commented Jul 8, 2024

Hi @Rapsody09,

could you show your Nginx's error_log setting?

Please note that you should pass a severity level to that. The minimum level is what you want to see in your error.log.

I suggest you to set up something like this:

    error_log /var/log/nginx/error.log info;

@Rapsody09
Copy link
Author

Rapsody09 commented Jul 8, 2024

Than @airween for your help,

Here is my nginx log setting :

          # logging
          access_log          /var/log/nginx/access.log custom;
          error_log           /var/log/nginx/error.log info;

I tried some things without success : for example increasing severity in the rule to EMERGENCY instead INFO
Better thing I found is to disable the auditEngine : log,ctl:auditEngine=off, but if I understand well il will disable audit log for all rules ? And that also not what I want ...

@airween
Copy link
Member

airween commented Jul 8, 2024

Hi @Rapsody09,

thanks - seems like it's a new bug that you've found.

Better thing I found is to disable the auditEngine : log,ctl:auditEngine=off, but if I understand well il will disable audit log for all rules ?

Yes, that turns off the auditlog engine for whole transaction.

And that also not what I want ...

What do you want to achieve? What's your aim?

@Rapsody09
Copy link
Author

I use this kind of log to trace specific actions on my web applications (For example specific usage of an API key, connection from a specific IP). I was using a lot like that with modsecurity 2.9 / apache without any issue, but I just migrated to 3.X / nginx recently and wanted to do the same :)

@airween
Copy link
Member

airween commented Oct 14, 2024

Hi @Rapsody09,

sorry for the late reply.

I think this is a known bug in libmodsecurity3 - meanwhile I faced this problem somewhere else, so we have to fix that.

Thanks for your report.

@airween airween added the bug It is a confirmed bug label Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.x Related to ModSecurity version 3.x bug It is a confirmed bug
Projects
None yet
Development

No branches or pull requests

2 participants