-1

I'm using Modsecurity v3.0.3 with the blocking module and I need to get my auditlog.

Also, because I need it, I have to use some custom error pages.

Unfortunately, I have my logs, but I'm losing my auditlog. I tried some forums' help, but it didn't work for me.

One of the forums : https://github.com/SpiderLabs/ModSecurity-nginx/issues/76

Here is the location configuration of my NGinx

Any help or starting point would be appreciated, thanks !

Alex
  • 3
  • 3

2 Answers2

2

I had the same problem with ModSecurity 3.3.2 + nginx and custom errors, so leaving this here in case other people run into the same issue as it took me a while to find a solution.

The issue in my case was that I had the custom error in nginx return the message directly in the error location block, so something like:

error_page 400 @error400;
location @error_400 {
  types {}
  default_type application/json;
  return 400 '{"message: WHATEVER ERROR"}'
}

So the solution in my case was to put that exact JSON message in a file and reference that file instead, so the above becomes:

error_page 400 /400.json;
location = /400.json {
  types {}
  default_type application/json;
  root /usr/share/nginx/html/custom_errors/;
}

And in that root path I put the 400.json file with that exact error messsage:

cat /usr/share/nginx/html/custom_errors/400.json

{"message: WHATEVER ERROR"}

This brought back the SecAudit Logs from ModSecurity. Hope this helps someone.

Okadan85
  • 21
  • 3
0

Could you elaborate on "losing my auditlog"? This sounds as if you would see it for a moment, but then it disappears.

Also, you link to a very old ModSec issue that has been fixed and released in the meantime. Where is the connection?

dune73
  • 339
  • 1
  • 3
  • Yes, wasn't very expressive. When I said I'm losing my auditlogs, I mean I got it, Logstash got it but they cannot be sent. In fact, I'm using customs error pages, and if I remove these pages, it works but I need it. I know the ModSec issue is old, but that was the best link I founded for my problem. Said me if you need more explanations, and thanks for your answer ! – Alex Jun 21 '21 at 06:54
  • Logstash has your logs, but they can not be sent? Where do you want to send them? Sorry, but I am still puzzled... – dune73 Jun 23 '21 at 07:13
  • Logstash get my logs, but they cannot be send on my Kibana if I have error pages yup. In facts, I have my logs on Logstash and Kibana if I remove my error pages, but if I add them, my logs are only on Logstash. – Alex Jun 24 '21 at 08:33
  • Sorry, but that's no longer a ModSec problem then and I'm afraid I'm not a logstash expert (at all). – dune73 Jun 25 '21 at 09:06
  • I don't think it's a Logstash problem tbh, but a real ModSec prob, but don't worry, thanks for your answer :D – Alex Jun 25 '21 at 09:24