modsec_audit.log is not populated

[udi-aharon]

Modsecurity audit log is written only to stdout, even when MODSEC_AUDIT_LOG is set. The problem seems to be a permission issue which nginx user can't write to the native "/var/log/" directory. Workaround - set MODSEC_AUDIT_LOG to "/tmp/modsec_audit.log"

Logs are written only to stdout: docker run -dti -p 80:80 --rm -e MODSEC_AUDIT_ENGINE=on -e MODSEC_AUDIT_LOG=/var/log/modsec_audit.log -d owasp/modsecurity-crs:3.3.5-nginx-202402070602

Workaround: docker run -dti -p 80:80 --rm -e MODSEC_AUDIT_ENGINE=on -e MODSEC_AUDIT_LOG=/tmp/modsec_audit.log -d owasp/modsecurity-crs:3.3.5-nginx-202402070602

[theseion]

Thanks @udi-aharon. That issue is probably due to us now using the unprivileged nginx image.

[theseion]

I checked. What you're seeing is the expected behaviour for the unprivileged image. That being said, IMO you should not log to the container filesystem anyway but to a mount point. That should also take care of the permissions:

touch /tmp/host-fs-auditlog.log
docker run -dti -p 80:80 --rm -e MODSEC_AUDIT_ENGINE=on -e MODSEC_AUDIT_LOG=/var/log/modsec_audit.log -d -v /tmp/host-fs-auditlog.log:/var/log/modsec_audit.log owasp/modsecurity-crs:3.3.5-nginx-202402070602

[fzipi]

Shall we add this to the documentation?

[theseion]

Not a bad idea.

[udi-aharon]

I checked. What you're seeing is the expected behaviour for the unprivileged image. That being said, IMO you should not log to the container filesystem anyway but to a mount point. That should also take care of the permissions:

touch /tmp/host-fs-auditlog.log
docker run -dti -p 80:80 --rm -e MODSEC_AUDIT_ENGINE=on -e MODSEC_AUDIT_LOG=/var/log/modsec_audit.log -d -v /tmp/host-fs-auditlog.log:/var/log/modsec_audit.log owasp/modsecurity-crs:3.3.5-nginx-202402070602

This works. thank you!

[theseion]

PR to document volume mounts for logs: https://github.com/coreruleset/modsecurity-crs-docker/pull/225