ModSecurity with Nginx: not parsed?

Hi
I’ve set up my Nginx with ModSecurity and it is working well. Attacks detected are logged to Nginx’s error log, but is seems (according to cscli explain) that those entries are not recognized by the modsecurity parser.
In the collection is a statement saying that the modsecurity collection has not been tested with nginx so far…

This is one of the log entries I would expect to be recognized by the parser, but isn’t:

2022/03/20 09:52:40 [error] 23#23: *1220 [client fd42:0:0:41::21a] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.0.2.100"] [uri "/"] [unique_id "1647769960"] [ref ""], client: fd42:0:0:41::21a, server: , request: "GET / HTTP/1.1", host: "xxx.yyyy.ch"

Can someone help or point me to the right direction?

Ok, seems as if the parser works, but the szenario is not triggering a notification to lapi.
Need to look deeper.

Question: the nginx and modsecurity share the error.log, but access.log is only used by nginx.

So how do I define acquis.yaml?

filenames:
 - /var/log/nginx/*.log
labels:
 type: nginx modsecurity

or

filenames:
 - /var/log/nginx/*.log
labels:
 type: nginx
----
filenames:
- /var/log/nginx/error.log
labels:
 type: modsecurity

or

filenames:
 - /var/log/nginx/access.log
labels:
 type: nginx
----
filenames:
- /var/log/nginx/error.log
labels:
 type: nginx modsecurity

Hello @ne20002 ,

It is not really optimal, but currently the only way to make this work is to have this in your acquis.yaml file:

filenames:
 - /var/log/nginx/*.log
labels:
 type: nginx
----
filenames:
- /var/log/nginx/error.log
labels:
 type: modsecurity