ModSecurity with Nginx: not parsed but in k8s env?

crowdsec
1

Hi,

So far, I’ve managed to set up crowdsec to collect logs on a nginx ingress controller, parse them, raise alerts and apply certain decisions with the help of a bouncer, all by following this tutorial here.

But when it come to add the modsecurity collections alongside it ( maybe it’s overkill but i’m just testing the solution and exploring all his capabilities), I just can’t get my log parsed.

I think my problem can be related to this Topic here but I didn’t figure how i can adapt it in the helm way.

Here is the content of my crowdsec-values.yaml that i use to apply the crowdsec helm charts

container_runtime: containerd
agent:
  # To specify each pod you want to process it logs (pods present in the node)
  acquisition:
    # The namespace where the pod is located
    - namespace: crowd-test
      # The pod name
      podName: ingress-crowd-test-ingress-nginx-controller-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: nginx
  # Those are ENV variables
  env:
  # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
  - name: DISABLE_ONLINE_API
    value: "true"
  # As we are running Nginx, we want to install the Nginx collection
  - name: COLLECTIONS
    value: "crowdsecurity/nginx crowdsecurity/modsecurity"
  - name: DISABLE_PARSERS
    value: "crowdsecurity/whitelists"
lapi:
  env:
    # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
    - name: DISABLE_ONLINE_API
      value: "true"

here the tags that i use in order to configure modsecurity:

  modsecurity-snippet: |
    SecRuleEngine DetectionOnly
    SecRequestBodyAccess On
    SecAuditEngine RelevantOnly
    SecAuditLogType Serial
    SecAuditLogParts ABIJDEFHKZ 
    SecAuditLog /dev/stdout
    SecAuditLogFormat Native
    SecDebugLogLevel 3\n

My modssecurity logs are accessible when I use the kubectl log command on my nginx-ingress controller (just to explain that the logs are well redirected to /dev/stdout).

my collections are well installed

2024-03-06_15h41_22
2024-03-06_15h41_221278×351 124 KB

nginx parser is operationnal but modsecurity isn’t :frowning:

I’m a bit lost here, if anyone has any experience on how to manage the modsecurity collection on a nginx ingress controller, I’d be very happy to chat with you !

thank’s for you’re attention

2

So following the post you linked you need to specify additional acquisition:

  acquisition:
    # The namespace where the pod is located
    - namespace: crowd-test
      # The pod name
      podName: ingress-crowd-test-ingress-nginx-controller-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: nginx

    - namespace: crowd-test
      # The pod name
      podName: ingress-crowd-test-ingress-nginx-controller-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: modsecurity

However, this will cause multiple readers on the same files so you may want to take it a step further and configure additional acquisition argument which also you to specify exclude regexps