Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecAuditEngine RelevantOnly won't log #21

Open
Saperlu opened this issue Aug 31, 2022 · 1 comment
Open

SecAuditEngine RelevantOnly won't log #21

Saperlu opened this issue Aug 31, 2022 · 1 comment
Labels
v2.0

Comments

@Saperlu
Copy link

Saperlu commented Aug 31, 2022
edited
Loading

Hello again, thank you very much for your answer in #20 (I tried to find a way into the code by myself with your help but without success this morning).

So my issue today is about logs again, which is my main task those days.

The context

I've installed as in the Readme, Caddy and coraza-waf and it works.
I am trying to collect the logs about coraza.

The Issue

Coraza does not log into my file specified with SecAuditLog unless I set SecAuditEngine to On which logs every single request where I want only relevant with relevant.

In addition, changing the SecAuditLogParts does not affect the logs.

My config

Some of my Caddyfile

http://example.com {
	coraza_waf {
		include coraza.conf-recommended
		include coreruleset/crs-setup.conf.example
		include coreruleset/rules/*.conf
	}
	reverse_proxy {
		to some_ip
		trusted_proxies private_ranges 127.0.0.1
	}
}

Some of coraza.conf-recommended

# -- Rule engine initialization ----------------------------------------------

# Enable Coraza, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
# SecRuleEngine DetectionOnly
SecRuleEngine On

# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
# level response status codes).
#
SecAuditEngine On
SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"

# Log everything we know about a transaction.
SecAuditLogParts AZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only occasionally.
#
SecAuditLogType Serial
# SecAuditLogType concurrent 
# SecAuditLogStorageDir /var/log/caddy/
SecAuditLog /var/log/caddy/waf.log

I tried to play with SecRuleEngine too.

Some of coreruleset/crs-setup.conf.example

# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log
# - By default, offending requests are blocked with an error 403 response.
# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
#   and review section 'Changing the Disruptive Action for Anomaly Mode'.
# - In Apache, you can use ErrorDocument to show a friendly error page or
#   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"



SecAction \
 "id:900000,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.blocking_paranoia_level=1"

Modifying the paranoia works and block at lvl2 my XSS attempt but doesn't affect logging with SecAuditEngine (but it affects logging about errors in caddy logs
@jptosso
Copy link
Member

jptosso commented Jan 19, 2023

Can we validate if this is still happening in https://github.com/corazawaf/coraza-caddy/releases/tag/v1.2.2 ?

@jcchavezs jcchavezs added the v2.0 label May 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
v2.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jptosso @jcchavezs @Saperlu