audit log not created with modsecurity-nginx 1.0.2

[cello86]

Hi All, we tried to use the new version of modsecuity nginx connector to test audit log fix applied during the last year. Actually we have this configuration applied to skip the internal redirect issue:

     location ^~ /error {
            modsecurity_rules 'SecRule REQUEST_URI "@beginsWith /" "id:1,pass,phase:2,log,ctl:ruleEngine=DetectionOnly"';
            alias "/usr/local/nginx/error";
            sub_filter_types application/json;
            sub_filter_once off;
            sub_filter 'request_id' '$request_id';
        }

We tried to test the configuration without success and the mod_security audit log was empty but we can noticed the triggered rule into the nginx error log.

Do we have to change the configuration?

Thanks, Marcello

[alexandrefilgueira]

Not sure if I have the same issue, but using 1.0.2, which as you pointed should include this fix, which should include audit logs for disruptive action, I still get empty messages for the rules applied from the audit logs (requests are blocked as expected). When DetectionOnly is enabled, then I get the proper rules applied in the messages field in the audit logs

[ghost]

For me, the issue was due to permissions. Have you verified permissions? For ex, the logs for me are written out as nginx user, but only group is nginx, so therefore g+w is minimum. Same is true for SecAuditLogDirMode and SecAuditLogFileMode.

[alexandrefilgueira]

Logs do get created in the right folders with the right permissions, it is just that the messages field is empty of the JSON object, where the rules applied should go. It doesn't happen always, I can see some of the audit logs containing the applied rules, but most of the times it is empty.

[cello86]

I re installed the nginx-connector 1.0.2 version with latest version of mod_security and all works fine.

Marcello