concurrent logging files empty

[adamjacobmuller]

Hello,

We are running ModSecurity@1edd3570e11e9bb2b6d86b249232b24917a4b0ac and ModSecurity-nginx@abbf2c47f6f3205484a1a9db618e067dce213b89 with nginx 1.13.1.

I'm attaching the rule set + modsecurity configuration as well.

From the SecAuditLog:

www.cyberprosconsulting.com 207.244.80.239 - - [25/Aug/2017:04:02:37 +0000] "GET / HTTP/1.1" 200 16384 - "Pingdom.com_bot_version_1.4_(http://www.pingdom.com/)" 150363375766.543193 - /var/log/nginx/modsec_audit/33062/12763/20170825/20170825-0402/20170825-040237-150363375766.543193 0 0.000000 md5:d41d8cd98f00b204e9800998ecf8427e

The files that appear are all zero bytes, which modsecurity appears to understand/expect as it says its writing 0 bytes and the md5 hash is d41d8... (the md5 hash of an empty string).

rules.zip

[zimmerle]

Make sure you have YAJL support enabled, otherwise the logs file will be empty.

[adamjacobmuller]

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secauditlogformat

Does this option no longer exist at all for ModSecurity 3 with the only option being for json-format logging?

[zimmerle]

Hi @adamjacobmuller This option is available on the latest version. You can choose between JSON and old native format. Also, you can compile libModSecurity to support the JSON. Just install the yajl developer packages and re-compile libModSecurity. The compilation process should detect the developer packages and enable the support by default.

[adamjacobmuller]

hi @zimmerle,

I'm not even seeing the keyword SecAuditLogFormat in the source for v3/master, should I be using another branch?