Increase log level for disruptive actions to error

[victorhora]

This pull request is intended to change the log level from warn to the "default" of error when writing log entries of disruptive actions on Nginx error_log.

I've noticed this would be contradictory to @defanator's commit b51e555 which although it seems technically accurate it seems like it was getting some users a bit confused of why they were not getting ModSecurity logs on Nginx by default. This is intended to resolve issue #112

[zimmerle]

Merged.

[robinkb]

@zimmerle Can this change be re-evaluated? It seems strange to me to log disruptive actions through the NGINX error log while ModSecurity also has an audit logger that grants much more control over what is logged, where the logs go, and in what format.

I could raise my NGINX error log to crit or higher, but I'm afraid that I will lose real, unexpected errors thrown by NGINX.

[victorhora]

One of the goals with v3 is also to make the behaviour not too different from v2 and this changeset was also meant to provide this similar experience with v2. But we should consider making this a configuration flag so as to allow the flexibility for different use cases. What do you think?

[robinkb]

A configuration flag would be very useful. At the moment I am forced to carry a patch to revert the log level to warn. Making this configurable would be a lot better.

Given a clean slate without considering current behavior, I would have the ModSecurity connector log disruptive actions in NGINX's error log at info level. After all, I expect ModSecurity to block transactions, so if it does, I don't consider it an error. If I need information about specific transactions, I can use ModSecurity's audit logger, where I have a lot more control over the content and format of the logger.

I understand the reasoning that this might be confusing for new users, who just want to verify that ModSecurity is working at all. But might it not be better to document some recommended configuration for debugging purposes? For example, new users could temporarily raise (lower...?) NGINX's error log level to warn (or whichever level is relevant), to quickly verify that ModSecurity is working. Another option would be to give users a quick explanation about the ModSecurity audit logger, or point them to the right documentation. That way, new users might have an easier time getting started, without making it more difficult to adopt ModSecurity for production, which I am currently having trouble with due to this change.

[mtorromeo]

I had to raise the error_log level to info to see some destructive actions in the logs. The issue was already reported #112 (comment)

[info] 942109#0: *101129 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `userdata_wl_content_type' against variable `TX:0' (Value: `text/plain' ) [file "/etc/nginx/modsec/comodo/10_HTTP_HTTP.conf"] [line "16"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||<SNIP>|F|2"] [data "REQUEST_METHOD=PUT"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "HTTP"] [hostname "<SNIP>"] [uri "<SNIP>"] [unique_id "15953195826.827354"] [ref "v0,3o0,10o0,10v425,10"], client: <SNIP>, server: <SNIP>, request: "PUT <SNIP> HTTP/2.0", host: "<SNIP>"

The only reference to NGX_LOG_INFO is here: https://github.com/SpiderLabs/ModSecurity-nginx/blob/master/src/ngx_http_modsecurity_log.c#L33

I guess that ngx_http_modsecurity_log is used to log some of these actions.

Should I open a new issue?