ModSecurity-nginx icon indicating copy to clipboard operation
ModSecurity-nginx copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

Blocked Requests not logged in Debug mode Level 1

Open jeremyjpj0916 opened this issue 5 years ago • 7 comments

As per documentation, these are the valid values for debug levels (0 to 9, excluding 6-8): https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html

Debug log level Description
0 No logging
1 Errors (e.g., fatal processing errors, blocked transactions)
2 Warnings (e.g., nonblocking rule matches)
3 Notices (e.g., nonfatal processing errors)
4 Handling of transactions and performance
5 Detailed syntax of the rules
6–8 Not used
9 Detailed information about transactions (e.g., variable expansion and setting of variables)

Working confirmed numbers(does output logs): 0,9,5,4

Not Working numbers: 1

Unsure best way to cause these so skipped them for now: 2,3

Audit log logic helps supplement the 1 use case generally(will also be raising a separate issue on that) but I still think it would be right and proper for level 1 to log errors in debug if documentation presents it like that(and maybe for audit vs debug log cross comparison for extra analysis).

Log level 4 supposedly helps with getting performance numbers too but In reviewing logs I see no logging to indicate performance of evaluated rules. Might it be that NGINX integration is not as feature complete as integrations with other webservers in v3?

Version: Master branch right now of the ngx connector + libmodsec 3.0.4

jeremyjpj0916 avatar Feb 14 '20 07:02 jeremyjpj0916

Hi @jeremyjpj0916,

What you are trying to achieve? I am not familiar with the references that you have quoted.

zimmerle avatar Feb 17 '20 12:02 zimmerle

Howdy @zimmerle, hope your day is going well. Trying to achieve this:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secdebugloglevel

On log level 1:

The possible values for the debug log level are:

0: no logging 1: errors (intercepted requests) only 2: warnings 3: notices 4: details of how transactions are handled 5: as above, but including information about each piece of information handled 9: log everything, including very detailed debugging information

Currently intercepted requests do not get logged into the https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secdebuglog file at debug log level 1.

jeremyjpj0916 avatar Feb 17 '20 16:02 jeremyjpj0916

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Mar 19 '20 00:03 github-actions[bot]

still a thing

jeremyjpj0916 avatar Mar 19 '20 01:03 jeremyjpj0916

The "nostale" tag has been set for this one and it's now reopened. We'll get to it when possible. Thank you.

victorhora avatar Apr 07 '20 20:04 victorhora

Hi @jeremyjpj0916,

This reference manual is specific for version 2.x, some of that information is no longer valid for v3.0; Is the information that you are looking for is in any other LogLevel?

zimmerle avatar Jul 03 '20 12:07 zimmerle

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Aug 03 '20 00:08 github-actions[bot]

lol

jeremyjpj0916 avatar Aug 03 '20 02:08 jeremyjpj0916