Hi
This is one of the log entries I would expect to be recognized by the parser, but isn’t:
2022/03/20 09:52:40 [error] 23#23: *1220 [client fd42:0:0:41::21a] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.0.2.100"] [uri "/"] [unique_id "1647769960"] [ref ""], client: fd42:0:0:41::21a, server: , request: "GET / HTTP/1.1", host: "xxx.yyyy.ch"
Can someone help or point me to the right direction?
Ok, seems as if the parser works, but the szenario is not triggering a notification to lapi.
Question: the nginx and modsecurity share the error.log, but access.log is only used by nginx.
So how do I define acquis.yaml?
filenames:
- /var/log/nginx/*.log
labels:
type: nginx modsecurity
or
filenames:
- /var/log/nginx/*.log
labels:
type: nginx
----
filenames:
- /var/log/nginx/error.log
labels:
type: modsecurity
or
filenames:
- /var/log/nginx/access.log
labels:
type: nginx
----
filenames:
- /var/log/nginx/error.log
labels:
type: nginx modsecurity
Hello @ne20002 ,
It is not really optimal, but currently the only way to make this work is to have this in your acquis.yaml file:
filenames:
- /var/log/nginx/*.log
labels:
type: nginx
----
filenames:
- /var/log/nginx/error.log
labels:
type: modsecurity
Hi,
Thanks…
iiAmLoz
October 23, 2023, 11:15am
6
Yes they are valid, and since modsecurity only logs to error logs that is the only valid configuration
Thank you Loz…
Then best to open a new ticket, outlining what issues you are facing as OP of this has already had a resolution