no message in log and auditlog

[zzhclare]

hi
I'm using libmodsecurity-3.0.0 + modsecurity-nginx-0.0.1 + nginx-1.12.0. I could not find message in the log file even if rule has been triggered.
and here is my nginx configuration

location / {
              modsecurity on;
              modsecurity_rules_file /etc/nginx/modsecurity/modsec_includes.conf;
              root   /usr/share/nginx/html;
              index  index.html index.htm;
              proxy_set_header X-Forwarded-For $remote_addr;
              proxy_set_header REMOTE_ADDR $remote_addr;
              proxy_set_header HOST $host;
          }

and this is modsec_includes.conf

include modsecurity.conf
include crs-setup.conf
include rules/*.conf

SecRule ARGS "test" "msg:'trigger the rule',id:'44444',log,auditlog,deny" #this is the rule i used to test

and in modsecurity.conf, I define the log and audit log path

SecDebugLogLevel 3
SecDebugLog /var/log/nginx/debug.log

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log

Even if the rule(id:44444) is triggered , I cannot find any message in the debug.log or modsec_audit.log
I really don't know why this happened and please correct me if my configuration is wrong.

[zzhclare]

The reason why I create the issue here is that when I use Modsecurity without nginx connector, I can log message, but now I can't. So, I guess it maybe caused by connector or my configuration is wrong.

[zimmerle]

Hi @zzhclare,

Indeed, you should be able to see at very least the debug log. Do you mind to change your debug log level to 9, and the respective file to /tmp/debug.log. I want to make sure that your web server has permission to write in the choose directory.

SecDebugLogLevel 9
SecDebugLog /tmp/debug.log

[zzhclare]

@zimmerle I find the reason now! When I change the configuration, I must restart the nginx service but not just reload the configuration file (nginx -s reload), otherwise the log setting will not be applied!Though the changes of common rules have been updated.
Is that a bug or I must restart the nginx service after I change the log setting instead of nginx -s reload?

[zimmerle]

Hi @zzhclare,

That is odd indeed. I going to perform further investigation. The reload should be enogth to reload the configurations.

I believe that the problem is related to one of the logging lockers. It seems that the last process to die (worker) is closing (and/or closing) that supposedly to be used by the new worker. Further investigation is needed.

[NisariAIT]

Hi @zimmerle,
I am able to see the debug logs. But, I need to see only the error log that contains the rule against which the request was denied. How can I enable this logging?

[victorhora]

@NisariAIT, Pull request #116 is up for evaluation to address the behaviour that you've mentioned.
Please see #112 for further information.

[zimmerle]

As #116 is now merged. Closing this issue.