Coraza not logging logs and audit logs

[carlos-herrer]

Hi, I am using coraza with caddy and trying to find the audit logs noted that it does not leave the audit log registers and when change the config SecAuditLog got a error:

If used a rute /var/log/audit/coraza_audit.log I got Permission deny and If I used another rute in my case I try with /var/log/caddy/coraza_audit.log I got file don't found (if I create log file back permission deny)

All logs that i receive came from caddy log and not from the coraza

I try seting the config "SecDebugLog /var/log/coraza/coraza.log" with "SexDebugLogLevel 6" but not generate any file. and if I using audit log "SecAuditLogDir /var/log/audit/audit_coraza.log", it's generate a permission error even with permission 777, only if using on /tmp/ folder not geting a error but it's not generate any file or log.

anyone knows how to fix the permission deny?

[carlos-herrer]

this logs is from coraza ? If that is, why all logs are generate on /var/log/syslog and not generate on the rute I specificated ?

Feb 6 19:47:04 lab caddy[585]: {"level":"error","ts":1675730824.3300385,"logger":"http.handlers.waf","msg":"[client \"192.168.152.1\"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file \"/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"0\"] [id \"942100\"] [rev \"\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: n&1 found within ARGS:name: carlos or 1=1\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/66\"] [tag \"PCI/6.5.2\"] [hostname \"\"] [uri \"/?name=carlos%20or%201=1\"] [unique_id \"hEliunlRvPlEKAvH\"]\n[client \"192.168.152.1\"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file \"/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"0\"] [id \"942100\"] [rev \"\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: n&1 found within ARGS:name: carlos or 1=1\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/66\"] [tag \"PCI/6.5.2\"] [hostname \"\"] [uri \"/?name=carlos%20or%201=1\"] [unique_id \"hEliunlRvPlEKAvH\"]\n[client \"192.168.152.1\"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file \"/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"0\"] [id \"942100\"] [rev \"\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: n&1 found within ARGS:name: carlos or 1=1\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/66\"] [tag \"PCI/6.5.2\"] [hostname \"\"] [uri \"/?name=carlos%20or%201=1\"] [unique_id \"hEliunlRvPlEKAvH\"]\n[client \"192.168.152.1\"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file \"/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"0\"] [id \"942100\"] [rev \"\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: n&1 found within ARGS:name: carlos or 1=1\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/66\"] [tag \"PCI/6.5.2\"] [hostname \"\"] [uri \"/?name=carlos%20or%201=1\"] [unique_id \"hEliunlRvPlEKAvH\"]\n"} Feb 6 19:47:04 lab caddy[585]: {"level":"error","ts":1675730824.3382945,"logger":"http.handlers.waf","msg":"[client \"192.168.152.1\"] Coraza: Warning. Inbound Anomaly Score Exceeded (Total Score: 20) [file \"/usr/share/caddy/waf/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"0\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 20)\"] [data \"\"] [severity \"emergency\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"anomaly-evaluation\"] [hostname \"\"] [uri \"/?name=carlos%20or%201=1\"] [unique_id \"hEliunlRvPlEKAvH\"]\n"}

[fzipi]

@jptosso @jcchavezs Any inputs here?

[fzipi]

@jcchavezs @jptosso ping.

[fzipi]

@jcchavezs @jptosso ping 2.

[jcchavezs]

we completely rewrite the connector. Do you mind testing again with latest commit? At least the debug logging should be working fine. Audit we will tackle soon.

[carlos-herrer]

Hello @jcchavezs when try to update caddy it's take v1.2.2 this is the final version of coraza-caddy? it's not will be 1.2.3 ? "SecAuditLogDir /var/log/audit_coraza.log" provision http.handlers.waf: invalid WAF config: open /var/log/audit_coraza.log: permission denied

same error.

[M4tteoP]

The version with the rewritten connector is not yet tagged, you should be able to try it pointing directly to the commit (34daaf87f9ddaca2833461de59ebada21c902598)

[carlos-herrer]

Hello @M4tteoP if used xcaddy with build 34daaf87f9ddaca2833461de59ebada21c902598 i got error invalid

go: github.com/caddyserver/caddy/v2@34daaf87f9ddaca2833461de59ebada21c902598: invalid version: unknown revision 34daaf87f9ddaca2833461de59ebada21c902598

I used xcaddy build 34daaf87f9ddaca2833461de59ebada21c902598 --with github.com/corazawaf/coraza-caddy

[jcchavezs]

I think the right syntax is xcaddy build --with @.***

On Tue, 4 Apr 2023, 19:45 Carlos Herrera, @.***> wrote:

Hello @M4tteoP https://github.com/M4tteoP if used xcaddy with build 34daaf8 https://github.com/corazawaf/coraza-caddy/commit/34daaf87f9ddaca2833461de59ebada21c902598 i got error invalid

go: @.***: invalid version: unknown revision 34daaf8 https://github.com/corazawaf/coraza-caddy/commit/34daaf87f9ddaca2833461de59ebada21c902598

I used xcaddy build 34daaf8 https://github.com/corazawaf/coraza-caddy/commit/34daaf87f9ddaca2833461de59ebada21c902598 --with github.com/corazawaf/coraza-caddy

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/42#issuecomment-1496361490, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAV2CB3NFMJA4P23R23W7RM2TANCNFSM6AAAAAAUPQYRVU . You are receiving this because you were mentioned.Message ID: @.***>

[M4tteoP]

The right syntax should be this one: xcaddy build --with github.com/corazawaf/coraza-caddy@34daaf87f9ddaca2833461de59ebada21c902598 In your attempt, you are trying to use the commit like it was a caddy commit, not a coraza-caddy one.

Edit: ops, JC has been faster :3

[carlos-herrer]

Hello @M4tteoP @jcchavezs

You have right I can compile using xcaddy build --with github....coraza-caddy@build_hash

But now the error change and I got a error with the CRS loaded. ["/usr/share/caddy/waf/coreruleset/rules/REQUEST-901-INITIALIZATION.conf","/usr/share/caddy/waf/coreruleset/rules/]

[jcchavezs]

Unfortunately this is an issue with the file system as it does not like absolute paths. I tried different approaches and ended up creating my own library for merging filesystems because existing ones did have some opinions.

This is the same issue as in https://github.com/jcchavezs/coraza-httpbin/pull/4#issuecomment-1494683884 which I will soon fix as soon as finish test the new merge library.

[jptosso]

@jcchavezs I would remove your coreruleset library from coraza-caddy until it is fixed. It's not such an important feature for the connector, and it's not even documented

[jcchavezs]

Yeah I will remove that. And reassess the os filesystem.

[jcchavezs]

In the other hand, the coreruleset library eases testing in this repo which we really need it to avoid poor coverage. I'd rather make that work to not to have to download CRS for ftw.

On Wed, 5 Apr 2023, 14:28 José Carlos Chávez, @.***> wrote:

The coreruleset library isn't the problem. Loading filesystem is and that is what I am fixing.

On Wed, 5 Apr 2023, 14:28 Juan Pablo Tosso, @.***> wrote:

@jcchavezs https://github.com/jcchavezs I would remove your coreruleset library from coraza-caddy until it is fixed. It's not such an important feature for the connector, and it's not even documented

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/42#issuecomment-1497405210, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAWDPIAWJ23JFDCCWL3W7VQNFANCNFSM6AAAAAAUPQYRVU . You are receiving this because you were mentioned.Message ID: @.***>

[jcchavezs]

@carlos-herrer please do try this branch https://github.com/corazawaf/coraza-caddy/pull/52

[carlos-herrer]

Hello @jcchavezs, I got the same error Permission deny.

with "SecDebugLog /var/log/coraza/coraza.log" with "SexDebugLogLevel 6" I got invalid sintax. and if I using audit log "SecAuditLogDir /var/log/audit/audit_coraza.log", it's generate a permission error.

[jwDevOps]

Hey there, any updates on this? Still can't get logs working for coraza.

[bananasgroup]

Still having the same problem. I builded caddy by xcaddy build --with github.com/corazawaf/coraza-caddy/v2@latest . All log just show on screen console. Can't find in any log file.

[jcchavezs]

I will look into this again.

[jcchavezs]

I changed the example to show logs https://github.com/corazawaf/coraza-caddy/pull/173. Unfortunately I did not face any issue with logs.

[jcchavezs]

check https://github.com/corazawaf/coraza-caddy/pull/173/files