-
-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AuditLog parity with libmodsecurity3 #856
Comments
Hey @amsnek , actually, Coraza supports a format called JSONLEGACY that is compatible with ModSecurity. coraza/internal/auditlog/legacy.go Line 9 in 4f30afe
Just replace the JSON format in SecAuditLogFormat with JSONLEGACY.
SecAuditLogFormat JSONLEGACY |
Hey @jptosso
|
Apparently jsonlegacy is using modsecurity 2 format. We would need another JSON formatter for libmodsecurity |
modsecurity2 was only "partial json". libmodsecurity3 implemented full json support. a "full" json formatter for libmodsecurity would be most usefull. |
Up to work on this @amsnek ? |
hey @jcchavezs |
Just to keep tracking the evolution of this issue: #968 implemented some missing information |
Summary
Corazas current AuditLog format in json has empty values for important fields and is overall less detailed compared to libmodsecurity3. Since the stated goal is to be a "drop in replacement" for modsecurity, logging parity would be beneficial.
Basic example
Below are AuditLogs from coraza-spoa ccompared to libmodsecurity3 with the following http request intended to trigger the WAF.
curl -v http://127.0.0.100/?x\=/etc/passwd
AuditLog generated from coraza-spoa
There are details in coraza-spoa default error log but this is only partially json and not compareable to the auditlog:
AuditLog from libmodsecurity3
Motivation
Detailed Logs in JSON format make it easy to store and analyze the logs in tools like elasticsearch or similiar. This increases the visibility of attacks, aids with filtering of false positives and greatly improves overall usefullness.
The text was updated successfully, but these errors were encountered: