New application logging (zerolog) & error handling

[zc-devs]

Closes #70

• Using zerolog for application logging
• Introduced application error responses: variables err_code and err_msg - SPOA errors
• error used for SPOE/SPOP errors

[zc-devs]

Now processing error returns immediately as SPOA error instead of SPOE/SPOP timeout error.

log.txt

[jcchavezs]

I don't think we should provide two ways to do login in a connector. Can we stick to tx's logger?

[zc-devs]

No, we need application (coraza-spoa) logging. We need to log all initialization stuff as well as request/response before transaction is created.

[jcchavezs]

I'd prefer we get the platform logging and plug into an implementation coraza can use. For example we use the zap logger created by caddy and plug into coraza https://github.com/corazawaf/coraza-caddy/blob/main/coraza.go#L54

[zc-devs]

TBH, I had tried it before pushed the PR. It doesn't suit well.

[jcchavezs]

Thanks for raising this PR. I think in general I'd prefer we use the logger provided by the platform (in this case spoe) and inject it into coraza config to use a single/consistent logger. This will also prevent us from deviating on the log destination among connector and coraza itself. See for example what we do in caddy https://github.com/corazawaf/coraza-caddy/blob/main/coraza.go#L54 where we reuse the logger produced by caddy and make it pluggable to coraza's interface hence we reduce the configuration.

[zc-devs]

1. As I said before, we need application logger to log stuff not related to request/response processing (transaction, coraza). Related stuff I log via transaction logger (coraza).
2. It good that Coraza can use external logger, but we can't reach single/consistent logger because of other libraries. At least because of criteo/haproxy-spoe-go now. Moreover, I think we should not.
3. Suppose, we plug coraza-spoa logger into coraza.
   Who (which part) is responsible for configuration?
   If it's coraza-spoa, then SecDebugLog and SecDebugLogLevel would be ignored?
   If it's coraza, then why is coraza-spoa 's log configured by other application/library?
   As I understand, we plug-in only debug logger (which contains errors, I guess). What's about audit log (SecAuditLog)?
4. As I've tried it, I want to distinguish coraza-spoa logs from underlying libraries logs. When I tried, coraza-spoa debug logs were 'lost' in a lot of coraza's logs.
   Ideally, it should be like this. But we have what we have....
   Maybe later I will implement loggers by package/'class'.
5. There are two types of subsystems, I think:

• One is internal which is configured by application and some of subsystem configuration may be exposed via application config itself. Configuration properties may differ from subsystem ones. Example: coraza-spoa - haproxy-spoe-go.
• Another is one, which is configured by its own config, which we (application) just supply to that subsystem. Example: coraza-spoa - coraza .

To sum up, coraza-spoa / coraza / haproxy-spoe-go is the different subsystems. coraza has its own configuration and should be configured through it.

[sts]

• In the current version a configuration error will produce duplicated logs:

{
  "level": "error",
  "error": "invalid WAF config from string: failed to parse string: failed to compile the directive \"secrule\": there is a another rule with id 10102",
  "app": "test",
  "time": "2023-07-29T14:42:14Z",
  "message": "Unable to create WAF instance"
}
{
  "level": "fatal",
  "error": "invalid WAF config from string: failed to parse string: failed to compile the directive \"secrule\": there is a another rule with id 10102",
  "time": "2023-07-29T14:42:14Z",
  "message": "Can't initialize SPOA"
}

How about we just log out the first line and not return in internal/spoa but rather continue?

• While in context of an app, the app name should be included, for requests, the request id should also be included in the log line. Maybe this could be done using a hook in a central place? https://github.com/rs/zerolog#hooks

[sts]

The SPOE is the Haproxy part which talks to the SPOA. So I think this as correct.

[zc-devs]

HAProxy talks about SPOE/SPOP only.

There are txn.coraza.err_code and txn.coraza.err_msg for SPOA errors now.

[zc-devs]

How about we just log out the first line

Fixed.

not return in internal/spoa but rather continue

HAProxy doesn't run if there is error in config, doesn't matter if error is in only one backend and others work. So, I would stick with this behavior.

While in context of an app, the app name should be included

As I sad Maybe later I will implement loggers by package/'class', I would make it in other issue/PR. Both of them introduce new loggers.

for requests, the request id should also be included in the log line

As I use Coraza's DebugLog with Str("transaction_id", tx.ID()) and tx = app.waf.NewTransactionWithID(req.id), seems it's done.

[jcchavezs]

I really don't see the need to have zerolog and logrus in here. Do we need both and also a log package? I would prefer to use coraza logger (embedded in the transaction) and std logger for those cases where it is not possible and from there explore the possibility of retrieving the logger from the WAF object or do a recommendation. The reason is this is the only connector where I see we need to introduce new loggers.