Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logging into JSON #20

Closed
Saperlu opened this issue Aug 30, 2022 · 2 comments
Closed

Logging into JSON #20

Saperlu opened this issue Aug 30, 2022 · 2 comments
Labels
awaiting feedback stale v2.0

Comments

@Saperlu
Copy link

Saperlu commented Aug 30, 2022

First of all, thank you very much for the project !

The context

I installed coraza-caddy and included coreruleset following the Readme. Everything seems to work as expected.

I am trying to create an alert reporter to monitor the rules without opening the logs.

My issue

Logs don't seem to be formattable to JSON when i look into caddy logs (even with caddy logs in JSON, the part about coraza is in a string message) :

{
    "level": "error",
    "ts": 1661861476.6985302,
    "logger": "http.handlers.waf",
    "msg": "[client \"[1]\"] Coraza: Warning. Invalid character in request (outside of very strict set) [file \"coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"0\"] [id \"920273\"] [rev \"\"] [msg \"Invalid character in request (outside of very strict set)\"] [data \"ARGS:search_block_form=<br>\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [tag \"paranoia-level/4\"] [hostname \"\"] [uri \"/Error\"] [unique_id \"bjmFA0ZaJ6RSkQufYKo\"]\n[client \"[1]\"] Coraza: Warning. Invalid character in request (outside of very strict set) [file \"coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"0\"] [id \"920273\"] [rev \"\"] [msg \"Invalid character in request (outside of very strict set)\"] [data \"REQUEST_BODY=search_block_form=<br>&submit.x=0&submit.y=0&form_build_id=form-DzAhIjoslwnpJp3m245LBTcJRO9uNj6SPL3ImE-LvUI&form_id=search_block_form\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [tag \"paranoia-level/4\"] [hostname \"\"] [uri \"/Error\"] [unique_id \"bjmFA0ZaJ6RSkQufYKo\"]\n"
}

I searched into coraza API and a bit into source code without finding any way to get the output formated to JSON.

Should I try to code a custom solution for myself, or is there a setting I missed ?
P.S. If the option is quite easy to add to the project, I could try to make a PR if you indicate me the way...
@jptosso
Copy link
Member

jptosso commented Aug 30, 2022

Hey! thank you very much for your comment. Glad you enjoy the project.

The error logs are compatible with the old ModSecurity format. They are consistent between versions, so you can parse and reformat safely. This is the default format, but connectors can change it by updating the LogCallback function in the *coraza.Waf struct.

If you would like to propose changes to the error log, feel free to create an issue in https://github.com/corazawaf/coraza

https://github.com/molu8bits/modsecurity-parser

@Saperlu Saperlu mentioned this issue Aug 31, 2022
Open
@jcchavezs jcchavezs added the v2.0 label Jul 6, 2023
@jcchavezs jcchavezs mentioned this issue Jul 20, 2023
Open
@github-actions
Copy link

This issue was closed because it has been inactive for 14 days since being marked as stale.

This was referenced Sep 20, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting feedback stale v2.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jptosso @jcchavezs @Saperlu