Closed cello86 closed 2 years ago
Not sure if I have the same issue, but using 1.0.2, which as you pointed should include this fix, which should include audit logs for disruptive action, I still get empty messages for the rules applied from the audit logs (requests are blocked as expected). When DetectionOnly is enabled, then I get the proper rules applied in the messages field in the audit logs
For me, the issue was due to permissions. Have you verified permissions? For ex, the logs for me are written out as nginx
user, but only group
is nginx
, so therefore g+w
is minimum. Same is true for SecAuditLogDirMode
and SecAuditLogFileMode
.
Logs do get created in the right folders with the right permissions, it is just that the messages
field is empty of the JSON object, where the rules applied should go. It doesn't happen always, I can see some of the audit logs containing the applied rules, but most of the times it is empty.
I re installed the nginx-connector 1.0.2 version with latest version of mod_security and all works fine.
Marcello
Hi All, we tried to use the new version of modsecuity nginx connector to test audit log fix applied during the last year. Actually we have this configuration applied to skip the internal redirect issue:
We tried to test the configuration without success and the mod_security audit log was empty but we can noticed the triggered rule into the nginx error log.
Do we have to change the configuration?
Thanks, Marcello