allow logging to systemd journal

[adrelanos]

SecAuditLog currently does not allow logging to systemd journal. Or at least that's not documented.

Could you please allow logging to systemd journal?

Might be simple to implement. For example any daemon written in bash just has to do echo message and that will end up in systemd journal. No very special code required in ModSecurity. Just write to stdout/stderr normally. Perhaps SecAuditLog stdout?

Another option might be supporting SecAuditLog /dev/log but /dev/log is not a file, it's a unix domain socket file.

[zimmerle]

@adrelanos v3 is safe to output the logs to /dev/stdout. Have you faced any issues by doing that?

[adrelanos]

I wouldn't know why that wouldn't be safe. Lots of daemons doing that.

SecAuditLog /dev/stdout however doesn't work. Nothing ends up in journal.

[zimmerle]

Can you perform a test with the DebugLogs? I am going to check the AuditLogs here as well.

[hwgao]

My test result:

1. Set SecDebugLog /dev/stdout. Got the error when reloading Nginx: "Failed to start DebugLog: Failed to open file: /dev/stdout".
2. Set SecAuditLog /dev/stdout. There is no audit log in systemd journal.

[florianheiny]

SecAuditLogType Serial SecAuditLog /dev/stdout

also gives me the error ModSecurity: Failed to open the audit log file: /dev/stdout

[hwgao]

It will be better if it is possible to set SecAuditLog to a Unix domain socket. I have tried to add setting CURLOPT_UNIX_SOCKET_PATH in /src/utils/https_client.cc and do something simple change. But the connection to the socket is failed with "Download failed: Couldn't connect to server" shown in debug log. I can see "Sending log to: /dev/log" in the log too. It is the correct path to the socket file. I am not familiar with the Modsecurity code. Could anybody instruct me to debug this issue? Thanks in advance.