Sending Logs in JSON format

[nginxsantos]

Can someone please point me to the work where the logs can be sent in JSON format when the violation happens.
Sending the logs in JSON format makes it simple to analyze/parse.

I looked at the following, but the author says it is incomplete. Is there any solution/patch to this?

https://github.com/p0pr0ck5/ModSecurity/tree/json_logging

Thanks...Santos

[pieterlange]

Hate to say it, but +1 on this.

Having to parse the current format is an absolute nightmare. And everyone should know that custom parsing/formats ALWAYS come with a higher amount of (security) bugs.

@nginxsantos you could consider parsing your logs with logstash and https://github.com/bitsofinfo/logstash-modsecurity. logstash can create the necessary output formats/locations for you (including JSON). But make sure to use logstash 1.4.2, the newly released 1.5.1 broke the before-mentioned parser. Which is why i'm here again.. googling how to parse this impossible format.

[zimmerle]

@nginxsantos, @pieterlange: you may want to check this:

https://github.com/SpiderLabs/modsecurity-mlogc-ng

[pieterlange]

For anyone wondering if you should invest time into exploring that option: not right now.

[zimmerle]

This is related to issue #656

[zimmerle]

Hi,

Do you guys have any feedback on the format presented here:
https://gist.github.com/zimmerle/b22660ab33bd6df444fd

Missing something?

[pieterlange]

Hi,

that looks very usable!

Not sure if i'm a fan of spaces in the JSON keys though. But they look like typo's (there are a few others, i'm not going to nitpick about that)

FWIW/anyone googling: as i was using modsec purely for audit logging i'm going to replace the logging part with packetbeat as it serves my needs just fine..

[nginxsantos]

Hi @zimmerle - The format suggested by you @ https://gist.github.com/zimmerle/b22660ab33bd6df444fd looks good.

But, I am wondering how to generate in that format.
Can https://github.com/SpiderLabs/modsecurity-mlogc-ng generate in that format or you have developed something else.

Thanks....

[zimmerle]

Hi @nginxsantos,

"modsecurity-mlogc-ng" will be upgraded to support that format, also we are working on this libmodsecurity (ModSecurity without Apache dependency -- for nginx, IIS and other bindings) so I was thinking about having the JSON format as the default option.

More information about libmodsecurity: https://github.com/SpiderLabs/ModSecurity/tree/libmodsecurity/

[nginxsantos]

Hi @zimmerle ,

Thank you libmodsecurity is a good idea. If you are planning the JSON default logging format there, then it will be good.

Please update it here once done for the benefit of the others.

Many thanks....

[SECURITI]

Definitely a necessity with the big upswing of MongoDB usage, so people can
easily log straight to their database.

On Tue, Jul 7, 2015 at 2:53 AM, nginxsantos notifications@github.com
wrote:

Hi @zimmerle https://github.com/zimmerle ,

Thank you libmodsecurity is a good idea. If you are planning the JSON
default logging format there, then it will be good.

Please update it here once done for the benefit of the others.

Many thanks....

—
Reply to this email directly or view it on GitHub
#897 (comment)
.

---

John Martinelli
Digital Security & Internet Marketing Consultant

*Office Landline (feel free to call 24/7) * +1 (317) SECUR-17
*Direct Cell (M-F, 9-5 EST) * +1 (412) 888-6090

[p0pr0ck5]

I ended up completely refactoring the idea for presenting audit logs as JSON here: https://github.com/p0pr0ck5/ModSecurity/tree/json_audit_logging

This uses yajl and is a much cleaner approach, in that it doesn't stomp on message generation function signatures.

See https://www.cryptobells.com/mod_security-json-audit-logs-revisited/ for some discussion.

[nginxsantos]

Thanks...Let me take a look.

[p0pr0ck5]

Just a heads up, I updated my branch (and the associated pull request) to no longer rely on a compile-time option. Instead, we define a new config directive, SecAuditLogFormat, to be defined as either 'JSON' or 'Native' (default is native).

[nginxsantos]

Hi @p0pr0ck5 ,
How is your branch differ from the main ModSecurity repo, I mean what are the changes you have done apart from JSON log format?