SecAuditLogFormat in libmodsecurity

[lkarsten]

Issue: SecAuditLogFormat is documented in the reference manual, but is not a valid configuration item on libmodsecurity 65bd06f / slightly outdated v3-master.

(with ModSecurity-nginx)
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /opt/nginxmodsec/conf/modsecurity.conf. Line: 179. Column: 25. Invalid input: SecAuditLogFormat native in /etc/nginx/sites-enabled/example.com:16

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /opt/nginxmodsec/conf/modsecurity.conf. Line: 178. Column: 23. Invalid input: SecAuditLogFormat JSON in /etc/nginx/sites-enabled/example.com:16

Expected: Note in the manual that this does not work in libmodsecurity.

Manual entry: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secauditlogformat

Related: #1395 (closed prematurely?)

[victorhora]

Indeed, SecAuditLogFormat directive is currently not supported on libModSecurity.

As of now, for libModSecurity Serial logging is using the regular log format by default.

But if you want JSON logging you need to switch to Concurrent (aka Parallel) or HTTPS logging type as these are using JSON by default.

I'll propose an update to the parser to make it clear instead of the "invalid input" error message until this is tested and known to be working.

[zimmerle]

Implemented already.