search

corazawaf / coraza

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library
https://www.coraza.io
Apache License 2.0
2.15k stars 211 forks source link

SecAuditLogFormat JSON seems to be ignored #1150

Open superstes opened 2 hours ago

superstes commented 2 hours ago

Summary

The documentation shows an option that allows us to format the Audit-Logs in JSON: https://coraza.io/docs/seclang/directives/#secauditlogformat

But when put into coraza.conf and restating the service - nothing changes. The logs are still formatted the same.

Basic example

I am using corazawaf/coraza-spoa with HAProxy.

Logs look like this: {"level":"warn","time":"2024-09-20T23:18:55+02:00","message":"[client \"::ffff:95.214.55.x\"] Coraza: Warning. Host header is a numeric IP address [file \"/etc/coraza-spoa/coreruleset/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"1772\"] [id \"920350\"] [rev \"\"] [msg \"Host header is a numeric IP address\"] [data \"159.69.187.x\"] [severity \"warning\"] [ver \"OWASP_CRS/4.0.0-rc2\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [tag \"PCI/6.5.10\"] [hostname \"::ffff:159.69.187.x\"] [uri \"/\"] [unique_id \"FMPGEMUVBOHBCEMH\"]"}

This way the coraza-spoa 'wrapper' uses JSON format, but the core log is still a string :(

I would expect all the fields inside message being separate json key-value pairs.

Used versions:

Log callback: https://github.com/corazawaf/coraza-spoa/blob/rewrite/internal%2Fapplication.go#L330

Motivation

JSON is much easier to parse than the legacy ModSecurity format. Log systems like Graylog can parse JSON natively. That is very convenient - especially as such security-logs are very important to process.

From what I've read into the source - this is where the logs are written: https://github.com/corazawaf/coraza/blob/main/internal/corazarules/rule_match.go#L238

I've found a proxy-wasm issue/pr that referenced it: https://github.com/corazawaf/coraza-proxy-wasm/issues/255, https://github.com/corazawaf/coraza-proxy-wasm/pull/263

Also related to this coraza-caddy issue: https://github.com/corazawaf/coraza-caddy/issues/20

Maybe it's just a user-error. Please correct me if I got something wrong.

superstes commented 2 hours ago

BTW: I'm open to contribute to the project.