Closed tarmo-profi closed 2 years ago
Hi @tarmo-profi ,
As mentioned elsewhere (in your previous, now-closed issue), to get output in the nginx error.log file for rules that are not disruptive:
If your current setting for the nginx error_log is 'notice', i.e.:
error_log /var/log/nginx/error.log notice;
You should change that to a more detailed setting like 'info'
error_log /var/log/nginx/error.log info;
Hi @tarmo-profi ,
Have you tried that out?
Hi @tarmo-profi ,
Have you tried that out?
Hello,
I did try that solution but i noticed that the error.log isn't logging into stdout where i usually look logs. So i assume that solution is working.. Question is, how do i change error.log's output to stdout?
I will try to arrange time to solve this.
@tarmo-profi
I did try that solution but i noticed that the error.log isn't logging into stdout where i usually look logs. So i assume that solution is working.. Question is, how do i change error.log's output to stdout?
When Nginx (or most Unix process) starts and forks itself (we can call it as daemon), then it means the process drops the stdin, stdout and stderr descriptors. There are not exist anymore.
Therefore I can't interpret your question, that change the error.log's output to stdout. Or I can do that only, if your Nginx instance runs in foreground.
Since the original question has been addressed, I'm going to go ahead and close this.
(Moreover, if the OP's nginx configuration has become broken such that no logs lines of any kind are being written to the error.log file any longer, that's a question that's beyond the scope of this forum, as it's really more of a core nginx issue.)
Describe the bug
If SecRuleEngine is set to On and a ShellShock attack is made, logs only present a SecRuleID 949110 Inbound Anomaly Score Exceeded (Total Score: 5). ModSecurity has a SecRule against ShellShock, ID 932170 but it won't be logged.
Logs and dumps
Output of:
Notice: Be carefully to not leak any confidential information.
To Reproduce
Steps to reproduce the behavior:
A curl command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.
curl -H 'User-Agent: () { :; }; echo' DOMAIN.COM
Expected behavior
After curl, the ModSecurity will block the request and logs it with SecRuleID 932170.
Server (please complete the following information):
Rule Set (please complete the following information):
Additional context
Add any other context about the problem here.