Unable to turn off writing to the server log even set to nolog,noauditlog

[Taymindis]

Describe the bug
I have set this to return status 418 but i do not want any logs inside the nginx

SecRule REQUEST_HEADERS"@contains vip_checking" "phase:2,id:70010,deny,nolog,noauditlog,status:418"

But it somehow show error log in nginx.

*441580 [client 10.42.0.1] ModSecurity: Access denied with code 418 (phase 2). Matched "Operator `Contains' with parameter `vip_checking' against variable

[liudongmiao]

For myself, I just comment out function body of ngx_http_modsecurity_log in ModSecurity-nginx to disable all modsecurity-related nginx log.

So, I make a feature request in owasp-modsecurity/ModSecurity-nginx#274.

[Taymindis]

For myself, I just comment out function body of ngx_http_modsecurity_log in ModSecurity-nginx to disable all modsecurity-related nginx log.

So, I make a feature request in SpiderLabs/ModSecurity-nginx#274.

I am not intending to re-compile the whole module as I am using k8s ingress modsecurity.

I am just wondering any elegant way to do it. Else I gotta use lua to handle the case

[martinhsv]

Hello @Taymindis ,

Thanks for the report.

I expect that your use case is a little unusual. Typically, having ModSecurity deny a transaction would be considered sufficiently of interest that admins would want an entry in the web server's error.log.

In any case, this does seem like it has a been an bug/anomaly in libmodsecurity since the beginning of ModSecurity v3.

I don't immediately have a good alternative or workaround. If I think of one, I will let you know.

[klypnick]

I've just run into this issue, I'm using a deny rule as a healthcheck and I don't want it logged every 2 seconds

SecRule REQUEST_FILENAME "^/waf_health_check$" "id:101, phase:2, deny, nolog, noauditlog, ctl:auditEngine=off"

The load balancer is happy when it sees a 403 for this which is great because I know nginx & modsecurity are both working, but I don't want it logged.

Amusingly I've also just tried setting status:418 and changing the RelevantLog regexp to exclude 404 & 418 but that would appear to be for the auditlog only, which ctl:auditEngine=off has disabled. Not having a full audit of every health check is a good start but it's still filling up my error_log.

[martinhsv]

Hi @klypnick ,

For your use case, one option you could consider is to change the error logging level (in your nginx config) only for that health check location. For example, something like:

    location /waf_health_check {
        error_log  /var/log/nginx/error.log crit;
    }

[FedericoHeichou]

Hi, I wrote a antidos system but as explained in this issue, it keeps spamming in the error log.
I tried to figure out why it happens, but I failed. Reading the code I found that the callback is called by void RuleWithActions::performLogging in rule_with_actions.cc via trans->serverLog(ruleMessage);.

If you read the code you will see in every condition something like this

/* warn */
trans->m_rulesMessages.push_back(*ruleMessage);
/* error */
if (!ruleMessage->m_isDisruptive) {
    trans->serverLog(ruleMessage);
}

deny, drop, redirect are distruptive, so the callback should not happen.
m_rulesMessages seems to be used only for auditlogs (which work correctly).

Am I missing something? Are there other functions using the callback?

I can't replicate the problem creating a callback in the examples/simple_example_using_c/test.c though, so I am very confused.

[FedericoHeichou]

Nvm

msc_intervention(transaction, &intervention);
printf("Intervention: %s\n", intervention.log);

The ModSecurityIntervention's log is filled, so it's not a modsecurity's bug but a ModSecurity-nginx's bug because there is:

    log = intervention.log;
    if (intervention.log == NULL) {
        log = "(no log message was specified)";
    }

    ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log);

I'll report it to the other issue page