audit log H appears truncated

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://www.modsecurity.org

Apache License 2.0

8.25k stars 1.61k forks source link

audit log H appears truncated #3301

Closed ag-luca closed 3 days ago

ag-luca commented 3 days ago

Hi,

I'm not sure if this is a bug, but I've been looking for hours and I can't find similar errors, in my fresh installation of modsecurity on nginx it seems that logs that part H is truncated. Missing fields: Action, Stopwatch, Stopwatch2, Response-Body-Transformed, Producer, Server, Engine-Mode (compared to modsecurity with apache logs)

Current config: Ubuntu 22.04.5 LTS, nginx/1.18.0, modsecurity-v3.0.13, modsecurity-nginx-v1.0.3, crs 4.8.0

nginx log part H modsec_audit

example expected result expected_res

thank you

airween commented 3 days ago

Hi @ag-luca,

the second format is used by only Apache with mod_security2 module. libmodsecurity3 does not contain that format at all.

ag-luca commented 3 days ago

Hi @ag-luca,

the second format is used by only Apache with mod_security2 module. libmodsecurity3 does not contain that format at all.

Thank you very much @airween

ag-luca commented 3 days ago

libmodsecurity3 does not contain the same log format as modsecurity2 part H. Thanks @airween