ModSecurity 3 and NginX-Connector can not log with 'SecAuditLogType Concurrent'

[edward-02020]

Dear ModSecurity-Team,

I have compiled nginx 1.12 with libmodsecurity v3, nginx connector and CRS3.
I can get audit log with 'SecAuditLogType Serial',
But I can't understand why modsec audit log does not log anything in StorageDir when I set it to

SecAuditLogType Concurrent
SecAuditLog /var/log/mlogc/modsec_audit.log
SecAuditLogStorageDir /var/log/mlogc/data

All of the AuditLogFile in /var/log/mlogc/ are empty.

[root@test mlogc]# ll data/20171010/20171010-1650/
total 0
-rw-r----- 1 root root 0 Oct 10 16:50 20171010-165034-150762543443.355397
-rw-r----- 1 root root 0 Oct 10 16:50 20171010-165041-150762544121.261334

But the modsec_audit.log is OK.

[10/Oct/2017:17:00:14 +0800] "POST /index/index HTTP/1.1" 200 16384 - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0" 150762601452.356607 - /var/log/mlogc/data/20171010/20171010-1700/20171010-170014-150762601452.356607 0 0.000000 md5:d41d8cd98f00b204e9800998ecf8427e

Regards,
Nobodysz

[zimmerle]

Hi @nobodysz,

Most likely this is happening because your ModSecurity was not compiled with JSON support. As of 3036462 there will be a message in the file indicating that JSON support was not enable.

[edward-02020]

I try to recompiled ModSecurity and confirm configure with yajl.

ModSecurity - v3.0.0-rc1-19-ge09304a for Linux
 
 Mandatory dependencies
   + libInjection                                  ....v3.0.0-rc1-19-ge09304a
   + SecLang tests                                 ....e09304a
 
 Optional dependencies
   + GeoIP                                         ....found 
      /usr/lib64//libGeoIP.so, /usr/include
   + LibCURL                                       ....found v7.46.0
      -L/opt/curl/lib -lcurl, -I/opt/curl/include -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found 
      -lyajl, -DWITH_YAJL -I/usr/local/include
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.7.6
      -lxml2 -lz -lm, -I/usr/include/libxml2 -DWITH_LIBXML2
 
 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled

And the problem remains.
What should I do?

[edward-02020]

By the way ,what should I use to send logs to waf-fle with modsecurity v3.

[intelbg]

@nobodysz you can set debug level to 9 and see if there is an error message for saving to audit_log. Check also the permissions of this directory. You can make it's user and group like nobody:nobody (the user of nginx) - this solved the problem to me.

[edward-02020]

@intelbg I'm sure the log's directory has enough permission, but the problem remains~

[zimmerle]

Hi @nobodysz,

Within the latest version in GitHub you should not get an empty file. The file is either not saved or saved with some content. The content however, may be "JSON is not supported".

I see that you are running 304a, please try to upgrade the code to at least: 3036462 better if you can have the most recent version.