Audit logs in JSON format

[sfc-gh-msathe]

The modsecurity documentation says I should be able to get audit logs in JSON format with SecAuditLogFormat json.

Is this supposed to work with proxy-wasm? I still get logs in the native format when this option is set. Also, How do I get the logs to print the request headers and bodies? I have SecAuditLogParts ABIJDEFHZ but it seems to emit very limited logs like the following:

[2024-02-16 03:59:46.363][29][warning][wasm] [source/extensions/common/wasm/context.cc:1151] wasm log coraza-waf-filter coraza-waf coraza-filter-vm-id: [client "127.0.0.1"] Coraza: Warning. Host header is a numeric IP address [file "@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "2203"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "127.0.0.1:5102"] [severity "warning"] [ver "OWASP_CRS/4.0.0-rc2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "127.0.0.1"] [uri "/hello"] [unique_id "aRgeEOhlzYsdFohxxpc"]

Just checking if there's anything super obvious I am missing. If it's supposed to work, I can dig deeper.

[anuraaga]

Initially we had issues with JSON and I think disabled JSON audit logging here but TinyGo and our own JSON infrastructure has improved a lot so we can probably look into enabling it.

Though either way with the native formatter and that configuration, I think full logs are supposed to be printed so we should doublecheck what could be going wrong.

[anuraaga]

Oh yeah now I remember, currently audit logs are disabled

https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go

I think we were hoping for https://github.com/proxy-wasm/spec/pull/38 to land someday but I guess it won't. In the meantime, we should probably implement audit logging anyways printing to the normal envoy logs as a start.