Hi,
So far, I’ve managed to set up crowdsec to collect logs on a nginx ingress controller, parse them, raise alerts and apply certain decisions with the help of a bouncer, all by following this tutorial here.
But when it come to add the modsecurity collections alongside it ( maybe it’s overkill but i’m just testing the solution and exploring all his capabilities), I just can’t get my log parsed.
I think my problem can be related to this Topic here but I didn’t figure how i can adapt it in the helm way.
Here is the content of my crowdsec-values.yaml that i use to apply the crowdsec helm charts
container_runtime: containerd
agent:
# To specify each pod you want to process it logs (pods present in the node)
acquisition:
# The namespace where the pod is located
- namespace: crowd-test
# The pod name
podName: ingress-crowd-test-ingress-nginx-controller-*
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
program: nginx
# Those are ENV variables
env:
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
- name: DISABLE_ONLINE_API
value: "true"
# As we are running Nginx, we want to install the Nginx collection
- name: COLLECTIONS
value: "crowdsecurity/nginx crowdsecurity/modsecurity"
- name: DISABLE_PARSERS
value: "crowdsecurity/whitelists"
lapi:
env:
# As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
- name: DISABLE_ONLINE_API
value: "true"
here the tags that i use in order to configure modsecurity:
modsecurity-snippet: |
SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLogParts ABIJDEFHKZ
SecAuditLog /dev/stdout
SecAuditLogFormat Native
SecDebugLogLevel 3\n
My modssecurity logs are accessible when I use the kubectl log command on my nginx-ingress controller (just to explain that the logs are well redirected to /dev/stdout).
my collections are well installed
nginx parser is operationnal but modsecurity isn’t
I’m a bit lost here, if anyone has any experience on how to manage the modsecurity collection on a nginx ingress controller, I’d be very happy to chat with you !
thank’s for you’re attention