search

owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector
Apache License 2.0
1.54k stars 281 forks source link

Blocked Requests not logged in Debug mode Level 1 #179

Open jeremyjpj0916 opened 4 years ago

jeremyjpj0916 commented 4 years ago

As per documentation, these are the valid values for debug levels (0 to 9, excluding 6-8): https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html

Debug log level Description
0 No logging
1 Errors (e.g., fatal processing errors, blocked transactions)
2 Warnings (e.g., nonblocking rule matches)
3 Notices (e.g., nonfatal processing errors)
4 Handling of transactions and performance
5 Detailed syntax of the rules
6–8 Not used
9 Detailed information about transactions (e.g., variable expansion and setting of variables)

Working confirmed numbers(does output logs): 0,9,5,4

Not Working numbers: 1

Unsure best way to cause these so skipped them for now: 2,3

Audit log logic helps supplement the 1 use case generally(will also be raising a separate issue on that) but I still think it would be right and proper for level 1 to log errors in debug if documentation presents it like that(and maybe for audit vs debug log cross comparison for extra analysis).

Log level 4 supposedly helps with getting performance numbers too but In reviewing logs I see no logging to indicate performance of evaluated rules. Might it be that NGINX integration is not as feature complete as integrations with other webservers in v3?

Version: Master branch right now of the ngx connector + libmodsec 3.0.4

zimmerle commented 4 years ago

Hi @jeremyjpj0916,

What you are trying to achieve? I am not familiar with the references that you have quoted.

jeremyjpj0916 commented 4 years ago

Howdy @zimmerle, hope your day is going well. Trying to achieve this:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secdebugloglevel

On log level 1:

The possible values for the debug log level are:

0: no logging 1: errors (intercepted requests) only 2: warnings 3: notices 4: details of how transactions are handled 5: as above, but including information about each piece of information handled 9: log everything, including very detailed debugging information

Currently intercepted requests do not get logged into the https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secdebuglog file at debug log level 1.

github-actions[bot] commented 4 years ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

jeremyjpj0916 commented 4 years ago

still a thing

victorhora commented 4 years ago

The "nostale" tag has been set for this one and it's now reopened. We'll get to it when possible. Thank you.

zimmerle commented 4 years ago

Hi @jeremyjpj0916,

This reference manual is specific for version 2.x, some of that information is no longer valid for v3.0; Is the information that you are looking for is in any other LogLevel?

github-actions[bot] commented 4 years ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days