Nginx Modsecurity JSON Format Full Log

[bosungs2y]

Hello :)
I want to send Nginx Modsecurity Full Log as 10.10.10.10(Manager) in JSON format.
But it works fine in Apache but not in Nginx What is the problem?

Information

• Nginx(1.11.13)
• libModSecurity(ver.3)

Want

1. I want to save SecAuditLog in full log and json format.
2. I want to send saved logs to the Manger Server using socat.

SecAuditLog "|/usr/bin/socat -b 5301072 - UDP-SENDTO:10.10.10.10:8888" (Error)

3. The SecAuditLogFormat JSON option is not available

SecAuditLogFormat JSON (Error)

Error Log

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/modsecurity.conf. Line: 18. Column: 71. Invalid input:  SecAuditLog "|/usr/bin/socat -b 5301072 - UDP-SENDTO:10.10.10.10:8888" in /usr/local/nginx/conf/nginx.conf:42

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/modsecurity.conf. Line: 19. Column: 23. Invalid input:  SecAuditLogFormat JSON in /usr/local/nginx/conf/nginx.conf:42

modsecurity.conf

SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecRequestBodyLimit 100000
SecRequestBodyNoFilesLimit 2000
SecRequestBodyInMemoryLimit 100000
SecRequestBodyLimitAction ProcessPartial

SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml null
SecResponseBodyLimit 2000
SecResponseBodyLimitAction ProcessPartial

SecAuditEngine On
SecAuditLogParts ABCFHZ
SecAuditLogType Serial

#SecAuditLog /var/log/modsec_audit.log
SecAuditLog "|/usr/bin/socat -b 5301072 - UDP-SENDTO:10.10.10.10:8888"
SecAuditLogFormat JSON

SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127

Want Apache JSON Log Format

Jul 3 14:05:24 10.195.24.226 {"transaction": {"time":"03/Jul/2017:14:05:24 +0900","transaction_id":"WVnQlArDGOIAAGaFyOYAAACQ","remote_address":"10.10.10.20","remote_port":51495,"local_address":"10.10.10.30","local_port":80},"request":{"request_line":"POST / HTTP/1.1","headers":{"Host":"http://10.10.10.30/index.html","User-Agent":"curl/7.51.0","Accept":"*/*","Content-Length":"51","Content-Type":"application/x-www-form-urlencoded"},"body":["{1}IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII"]},"response":{"protocol":"HTTP/1.1","status":200,"headers":{"Last-Modified":"Wed, 28 Jun 2017 04:28:36 GMT","ETag":"\"873-552fd9e21cba3\"","Accept-Ranges":"bytes","Content-Length":"2163","Content-Type":"text/html"},"body":"<html><body><h1>It works!</h1></body></html>\n<h2><span style=\"color:red\"; >ModSecurity Test Page <span></h2>\n\na`````````````````````````````````````````````````````````````````````````````"},"audit_data":{}}

[victorhora]

SecAuditLogFormat directive is currently not supported on libModSecurity.

As of now, for libModSecurity Serial logging is using the regular log format by default.

But if you want JSON logging you need to switch to Concurrent (aka Parallel) or HTTPS logging type as these are using JSON by default.

[victorhora]

Thanks for your report. I will close this one so we can keep track of this at #1483