owasp-modsecurity
Unable to turn off writing to the server log even set to `nolog,noauditlog`
Describe the bug I have set this to return status 418 but i do not want any logs inside the nginx
SecRule REQUEST_HEADERS"@contains vip_checking" "phase:2,id:70010,deny,nolog,noauditlog,status:418"
But it somehow show error log in nginx.
*441580 [client 10.42.0.1] ModSecurity: Access denied with code 418 (phase 2). Matched "Operator `Contains' with parameter `vip_checking' against variable
For myself, I just comment out function body of ngx_http_modsecurity_log in ModSecurity-nginx to disable all modsecurity-related nginx log.
So, I make a feature request in https://github.com/SpiderLabs/ModSecurity-nginx/issues/274.
For myself, I just comment out function body of
ngx_http_modsecurity_login ModSecurity-nginx to disable all modsecurity-related nginx log.So, I make a feature request in SpiderLabs/ModSecurity-nginx#274.
I am not intending to re-compile the whole module as I am using k8s ingress modsecurity.
I am just wondering any elegant way to do it. Else I gotta use lua to handle the case
Hello @Taymindis ,
Thanks for the report.
I expect that your use case is a little unusual. Typically, having ModSecurity deny a transaction would be considered sufficiently of interest that admins would want an entry in the web server's error.log.
In any case, this does seem like it has a been an bug/anomaly in libmodsecurity since the beginning of ModSecurity v3.
I don't immediately have a good alternative or workaround. If I think of one, I will let you know.
I've just run into this issue, I'm using a deny rule as a healthcheck and I don't want it logged every 2 seconds
SecRule REQUEST_FILENAME "^/waf_health_check$" "id:101, phase:2, deny, nolog, noauditlog, ctl:auditEngine=off"
The load balancer is happy when it sees a 403 for this which is great because I know nginx & modsecurity are both working, but I don't want it logged.
Amusingly I've also just tried setting status:418 and changing the RelevantLog regexp to exclude 404 & 418 but that would appear to be for the auditlog only, which ctl:auditEngine=off has disabled. Not having a full audit of every health check is a good start but it's still filling up my error_log.
Hi @klypnick ,
For your use case, one option you could consider is to change the error logging level (in your nginx config) only for that health check location. For example, something like:
location /waf_health_check {
error_log /var/log/nginx/error.log crit;
}
Hi, I wrote a antidos system but as explained in this issue, it keeps spamming in the error log.
I tried to figure out why it happens, but I failed. Reading the code I found that the callback is called by void RuleWithActions::performLogging in rule_with_actions.cc via trans->serverLog(ruleMessage);.
If you read the code you will see in every condition something like this
/* warn */
trans->m_rulesMessages.push_back(*ruleMessage);
/* error */
if (!ruleMessage->m_isDisruptive) {
trans->serverLog(ruleMessage);
}
deny, drop, redirect are distruptive, so the callback should not happen.
m_rulesMessages seems to be used only for auditlogs (which work correctly).
Am I missing something? Are there other functions using the callback?
I can't replicate the problem creating a callback in the examples/simple_example_using_c/test.c though, so I am very confused.
Nvm
msc_intervention(transaction, &intervention);
printf("Intervention: %s\n", intervention.log);
The ModSecurityIntervention's log is filled, so it's not a modsecurity's bug but a ModSecurity-nginx's bug because there is:
log = intervention.log;
if (intervention.log == NULL) {
log = "(no log message was specified)";
}
ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log);
I'll report it to the other issue page