Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ModSecurity Audit Logs Showing Numeric Severity Instead of String Defined in Rules and Incorrect Severity Mapping #3271

Open
rohithmulka opened this issue Oct 8, 2024 · 3 comments
Open

ModSecurity Audit Logs Showing Numeric Severity Instead of String Defined in Rules and Incorrect Severity Mapping #3271

rohithmulka opened this issue Oct 8, 2024 · 3 comments
Labels
3.x Related to ModSecurity version 3.x

Comments

@rohithmulka
Copy link

I'm encountering an issue where the severity in ModSecurity audit logs is shown as a numeric value (e.g., "severity": "2") instead of the string defined in the rules (e.g., "severity": "CRITICAL")

0: EMERGENCY
1: ALERT
2: CRITICAL
3: ERROR
4: WARNING
5: NOTICE
6: INFO
7: DEBUG

Issue:
Rules like 949110 (blocking evaluation) do not have a defined severity, but in the logs, severity = 0 is being incorrectly mapped to "EMERGENCY", causing confusion.

audit_log.json
@rohithmulka rohithmulka added the 3.x Related to ModSecurity version 3.x label Oct 8, 2024
@airween
Copy link
Member

airween commented Oct 9, 2024

Hi @rohithmulka,

thanks for bringing this up.

Yes, this is a known behavior of libmodsecurity3 (I read your message on Slack, this is why I know - but it would be good to fill the issue template with versions and other information).

I think we have to discuss here (with other libmodsecurity3 users) what would be the correct behavior. I think we can modify the code that if a rule does not have a severity action then that field won't be in the log. But I don't know how users would be happy, eg. if someone uses an own parser which expects the field...

@theseion
Copy link
Collaborator

I feel like "no severity" should mean "default log level", which I assume would be DEBUG.

@airween
Copy link
Member

airween commented Oct 14, 2024

I feel like "no severity" should mean "default log level", which I assume would be DEBUG.

I think there are more different aspects around the severity rule value.

  • first that @rohithmulka brought up: if a rule does not have severity action, then why the engines log it with any value?
  • second that you mention @theseion: if there is no severity, then how should we interpret that?
    • I think the best would be that we don't write that into the log
  • third: how the engine behaves in this case? In case of libmodsecurity3 + Nginx, severity value determines which rules must appear in the log. Eg. if the Nginx's log level is "lower" than info then only rules will be logged which have CRITICAL value (if I'm not wrong)
    • maybe this implicit 0 is there because Nginx needs to know to logging. I haven't inspected that yet.

So we definitely have some works with this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@airween @theseion @rohithmulka