-
-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecAuditLogFormat JSON seems to be ignored #1150
Comments
BTW: I'm open to contribute to the project. |
Nevermind - with the vanilla source it works. Looks like the error-callback inside the haproxy-spoa is seponsible. |
Also - seems I've mixed-up error and audit logs as there is no mention of changing config/format for error logs (aka basic block-logs) |
Summary
The documentation shows an option that allows us to format the Audit-Logs in JSON: https://coraza.io/docs/seclang/directives/#secauditlogformat
But when put into
coraza.conf
and restating the service - nothing changes. The logs are still formatted the same.Basic example
I am using corazawaf/coraza-spoa with HAProxy.
Logs look like this:
{"level":"warn","time":"2024-09-20T23:18:55+02:00","message":"[client \"::ffff:95.214.55.x\"] Coraza: Warning. Host header is a numeric IP address [file \"/etc/coraza-spoa/coreruleset/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"1772\"] [id \"920350\"] [rev \"\"] [msg \"Host header is a numeric IP address\"] [data \"159.69.187.x\"] [severity \"warning\"] [ver \"OWASP_CRS/4.0.0-rc2\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [tag \"PCI/6.5.10\"] [hostname \"::ffff:159.69.187.x\"] [uri \"/\"] [unique_id \"FMPGEMUVBOHBCEMH\"]"}
This way the coraza-spoa 'wrapper' uses JSON format, but the core log is still a string :(
I would expect all the fields inside
message
being separate json key-value pairs.Used versions:
Log callback: https://github.com/corazawaf/coraza-spoa/blob/rewrite/internal%2Fapplication.go#L330
Motivation
JSON is much easier to parse than the legacy ModSecurity format.
Log systems like Graylog can parse JSON natively & easily. That is very convenient - especially as such security-logs are very important to process.
From what I've read into the source - this is where the logs are written: https://github.com/corazawaf/coraza/blob/main/internal/corazarules/rule_match.go#L238
I've found a proxy-wasm issue/pr that referenced it: corazawaf/coraza-proxy-wasm#255, corazawaf/coraza-proxy-wasm#263
Also related to this coraza-caddy issue: corazawaf/coraza-caddy#20
Related: corazawaf/coraza-spoa#91
Maybe it's just a user-error. Please correct me if I got something wrong.
The text was updated successfully, but these errors were encountered: