Skip to content

Commit

Permalink
chore: fixes audit log.
Browse files Browse the repository at this point in the history
  • Loading branch information
jcchavezs committed Oct 17, 2023
1 parent 2624bf3 commit 214e99a
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 16 deletions.
14 changes: 9 additions & 5 deletions internal/auditlog/concurrent_writer.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,15 @@ func (cl concurrentWriter) Write(al plugintypes.AuditLog) error {
return nil
}

formattedAL, err := cl.formatter.Format(al)
if err != nil {
return err
}

if len(formattedAL) == 0 {
return nil
}

// 192.168.3.130 192.168.3.1 - - [22/Aug/2009:13:24:20 +0100] "GET / HTTP/1.1" 200 56 "-" "-" SojdH8AAQEAAAugAQAAAAAA "-" /20090822/20090822-1324/20090822-132420-SojdH8AAQEAAAugAQAAAAAA 0 1248
t := time.Unix(0, al.Transaction().UnixTimestamp())

Expand All @@ -67,11 +76,6 @@ func (cl concurrentWriter) Write(al plugintypes.AuditLog) error {
return err
}

formattedAL, err := cl.formatter.Format(al)
if err != nil {
return err
}

filepath := path.Join(logdir, filename)
if err = os.WriteFile(filepath, formattedAL, cl.logFileMode); err != nil {
return err
Expand Down
25 changes: 17 additions & 8 deletions internal/auditlog/formats.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ import (
type nativeFormatter struct{}

func (nativeFormatter) Format(al plugintypes.AuditLog) ([]byte, error) {
if len(al.Parts()) == 0 {
return nil, nil
}

boundaryPrefix := fmt.Sprintf("--%s-", utils.RandomString(10))

var res strings.Builder
Expand All @@ -56,31 +60,36 @@ func (nativeFormatter) Format(al plugintypes.AuditLog) ([]byte, error) {
// Content-Length: 6
_, _ = fmt.Fprintf(
&res,
"%s %s %s\n",
"\n%s %s %s",
al.Transaction().Request().Method(),
al.Transaction().Request().URI(),
al.Transaction().Request().Protocol(),
)
for k, vv := range al.Transaction().Request().Headers() {
for _, v := range vv {
res.WriteByte('\n')
res.WriteString(k)
res.WriteString(": ")
res.WriteString(v)
res.WriteByte('\n')
}
}
case types.AuditLogPartRequestBody:
// b=test
res.WriteString(al.Transaction().Request().Body())
if body := al.Transaction().Request().Body(); body != "" {
res.WriteByte('\n')
res.WriteString(body)
}
case types.AuditLogPartIntermediaryResponseBody:
res.WriteString(al.Transaction().Response().Body())
if body := al.Transaction().Response().Body(); body != "" {
res.WriteByte('\n')
res.WriteString(al.Transaction().Response().Body())
}
case types.AuditLogPartResponseHeaders:
for k, vv := range al.Transaction().Response().Headers() {
for _, v := range vv {
res.WriteByte('\n')
res.WriteString(k)
res.WriteString(": ")
res.WriteString(v)
res.WriteByte('\n')
}
}
case types.AuditLogPartAuditLogTrailer:
Expand All @@ -91,11 +100,11 @@ func (nativeFormatter) Format(al plugintypes.AuditLog) ([]byte, error) {
// Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/).
// Server: Apache
// Engine-Mode: "ENABLED"
_, _ = fmt.Fprintf(&res, "Stopwatch: %s\nResponse-Body-Transformed: %s\nProducer: %s\nServer: %s", "", "", "", "")
_, _ = fmt.Fprintf(&res, "\nStopwatch: %s\nResponse-Body-Transformed: %s\nProducer: %s\nServer: %s", "", "", "", "")
case types.AuditLogPartRulesMatched:
for _, r := range al.Messages() {
res.WriteString(r.Data().Raw())
res.WriteByte('\n')
res.WriteString(r.Data().Raw())
}
}
res.WriteByte('\n')
Expand Down
5 changes: 5 additions & 0 deletions internal/auditlog/serial_writer.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,11 @@ func (sl *serialWriter) Write(al plugintypes.AuditLog) error {
if err != nil {
return err
}

if len(bts) == 0 {
return nil
}

sl.logger.Println(string(bts))
return nil
}
Expand Down
10 changes: 8 additions & 2 deletions internal/corazawaf/waf.go
Original file line number Diff line number Diff line change
Expand Up @@ -281,8 +281,14 @@ func NewWAF() *WAF {
auditLogWriter: logWriter,
auditLogWriterInitialized: false,
AuditLogWriterConfig: auditlog.NewConfig(),
Logger: logger,
ArgumentLimit: 1000,
AuditLogParts: types.AuditLogParts{
types.AuditLogPartRequestHeaders,
types.AuditLogPartRequestBody,
types.AuditLogPartResponseHeaders,
types.AuditLogPartAuditLogTrailer,
},
Logger: logger,
ArgumentLimit: 1000,
}

if environment.HasAccessToFS {
Expand Down
4 changes: 3 additions & 1 deletion waf.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,9 @@ func NewWAF(config WAFConfig) (WAF, error) {
waf.AuditEngine = types.AuditEngineOn
}

waf.AuditLogParts = a.parts
if len(a.parts) > 0 {
waf.AuditLogParts = a.parts
}

if a.writer != nil {
waf.SetAuditLogWriter(a.writer)
Expand Down

0 comments on commit 214e99a

Please sign in to comment.