Open superstes opened 2 hours ago
The documentation shows an option that allows us to format the Audit-Logs in JSON: https://coraza.io/docs/seclang/directives/#secauditlogformat
But when put into coraza.conf and restating the service - nothing changes. The logs are still formatted the same.
coraza.conf
I am using corazawaf/coraza-spoa with HAProxy.
Logs look like this: {"level":"warn","time":"2024-09-20T23:18:55+02:00","message":"[client \"::ffff:95.214.55.x\"] Coraza: Warning. Host header is a numeric IP address [file \"/etc/coraza-spoa/coreruleset/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"1772\"] [id \"920350\"] [rev \"\"] [msg \"Host header is a numeric IP address\"] [data \"159.69.187.x\"] [severity \"warning\"] [ver \"OWASP_CRS/4.0.0-rc2\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [tag \"PCI/6.5.10\"] [hostname \"::ffff:159.69.187.x\"] [uri \"/\"] [unique_id \"FMPGEMUVBOHBCEMH\"]"}
{"level":"warn","time":"2024-09-20T23:18:55+02:00","message":"[client \"::ffff:95.214.55.x\"] Coraza: Warning. Host header is a numeric IP address [file \"/etc/coraza-spoa/coreruleset/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"1772\"] [id \"920350\"] [rev \"\"] [msg \"Host header is a numeric IP address\"] [data \"159.69.187.x\"] [severity \"warning\"] [ver \"OWASP_CRS/4.0.0-rc2\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [tag \"PCI/6.5.10\"] [hostname \"::ffff:159.69.187.x\"] [uri \"/\"] [unique_id \"FMPGEMUVBOHBCEMH\"]"}
This way the coraza-spoa 'wrapper' uses JSON format, but the core log is still a string :(
I would expect all the fields inside message being separate json key-value pairs.
message
Used versions:
Log callback: https://github.com/corazawaf/coraza-spoa/blob/rewrite/internal%2Fapplication.go#L330
JSON is much easier to parse than the legacy ModSecurity format. Log systems like Graylog can parse JSON natively. That is very convenient - especially as such security-logs are very important to process.
From what I've read into the source - this is where the logs are written: https://github.com/corazawaf/coraza/blob/main/internal/corazarules/rule_match.go#L238
I've found a proxy-wasm issue/pr that referenced it: https://github.com/corazawaf/coraza-proxy-wasm/issues/255, https://github.com/corazawaf/coraza-proxy-wasm/pull/263
Also related to this coraza-caddy issue: https://github.com/corazawaf/coraza-caddy/issues/20
Maybe it's just a user-error. Please correct me if I got something wrong.
BTW: I'm open to contribute to the project.
Summary
The documentation shows an option that allows us to format the Audit-Logs in JSON: https://coraza.io/docs/seclang/directives/#secauditlogformat
But when put into
coraza.conf
and restating the service - nothing changes. The logs are still formatted the same.Basic example
I am using corazawaf/coraza-spoa with HAProxy.
Logs look like this:
{"level":"warn","time":"2024-09-20T23:18:55+02:00","message":"[client \"::ffff:95.214.55.x\"] Coraza: Warning. Host header is a numeric IP address [file \"/etc/coraza-spoa/coreruleset/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"1772\"] [id \"920350\"] [rev \"\"] [msg \"Host header is a numeric IP address\"] [data \"159.69.187.x\"] [severity \"warning\"] [ver \"OWASP_CRS/4.0.0-rc2\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [tag \"PCI/6.5.10\"] [hostname \"::ffff:159.69.187.x\"] [uri \"/\"] [unique_id \"FMPGEMUVBOHBCEMH\"]"}
This way the coraza-spoa 'wrapper' uses JSON format, but the core log is still a string :(
I would expect all the fields inside
message
being separate json key-value pairs.Used versions:
Log callback: https://github.com/corazawaf/coraza-spoa/blob/rewrite/internal%2Fapplication.go#L330
Motivation
JSON is much easier to parse than the legacy ModSecurity format. Log systems like Graylog can parse JSON natively. That is very convenient - especially as such security-logs are very important to process.
From what I've read into the source - this is where the logs are written: https://github.com/corazawaf/coraza/blob/main/internal/corazarules/rule_match.go#L238
I've found a proxy-wasm issue/pr that referenced it: https://github.com/corazawaf/coraza-proxy-wasm/issues/255, https://github.com/corazawaf/coraza-proxy-wasm/pull/263
Also related to this coraza-caddy issue: https://github.com/corazawaf/coraza-caddy/issues/20
Maybe it's just a user-error. Please correct me if I got something wrong.