Open JakubOnderka opened 3 months ago
Hi @JakubOnderka,
thanks for this PR!
I'm sure this patch can be useful for many users, but please consider the following:
log the whole message in case request is blocked into nginx error log. But the same information is also logged into modsecurity audit logs
this depends on some circumstances. Eg. by default audit log contains the transaction related information only if the status code is 4XX or 5XX except 404 (see SecAuditLogRelevantStatus).
If someone uses Core Rule Set in anomaly scoring mode, and the transaction's score value does not reach the threshold, then those information will be lost (I mean the triggered rules).
Moreover consider if someone uses some IPS/IDS (eg. fail2ban) which uses only the error.log (as I know there is no any plugin for fail2ban which can use audit.log) - then this configuration could be unusable.
I support any new feature, but we must notice users what do they do.
so logs can grow pretty fast in case of DDoS or scanning attacks.
If the log level is lower than info
in Nginx's configuration (eg. no level), then the result is almost the same (like this PR's result).
This patch adds new option
modsecurity_error_log
that acceptson
oroff
option.on
is default that logs the whole message to error log, but it can be turned off.
A side note, but hope others will be check this PR too and write their opinions: modsecurity_error_log
refers to me that where is the log, I mean the path. May be some more informative name would be better - eg. modsecurity_use_error_log
, or similar.
It also adds new variable
$modsecurity_status
that contains status code from modsecurity.
It would be nice to see a real example of its use. While you want to add a new configuration keyword and a new variable, please add their documentation into README.md, below the Usage
section (you can do that within this PR - not a separated one). If you make the documentation for modsecurity_error_log
(or the other name - we will see it), then please add the side effects too what I explained above.
And thanks again!
Modsecurity module for nginx by default log the whole message in case request is blocked into nginx error log. But the same information is also logged into modsecurity audit logs, so logs can grow pretty fast in case of DDoS or scanning attacks.
This patch adds new option
modsecurity_error_log
that acceptson
oroff
option.on
is default that logs the whole message to error log, but it can be turned off.It also adds new variable
$modsecurity_status
that contains status code from modsecurity.