add SecAuditLogType HTTPS for retrocompatibility with Modsecurity

[amsnek]

Summary

Modsecurity (2.x/3.x) currently has the Option to write audit logs directly via via Network (http/https) in JSON format. This can be usefull to directly ship to a logging endpoint and skip the need for (local) file based writes.

Basic example

SecAuditLogFormat JSON
SecAuditLogType HTTPS
SecAuditLog http://<ip>:<port>

Documentation: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-SecAuditLogType

Motivation

Since Coraza WAF aims to be a "drop in Replacement" I would suggest this feature to be added as well if possible.
This Subject was initially discussed here: #813

[jcchavezs]

Thanks for opening this issue. There is a PR that started this work #826

[jptosso]

HTTPS audit log is now implemented and will be available in the v3.0.3 release #826

[jcchavezs]

Please do try it and let us know so we proceed with the release.

…

On Tue, 11 Jul 2023, 03:22 Juan Pablo Tosso, ***@***.***> wrote: HTTPS audit log is now implemented and will be available in the v3.0.3 release — Reply to this email directly, view it on GitHub <#829 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAWE74A2O5EGXWUOKRDXPSTFPANCNFSM6AAAAAAZYBB2U4> . You are receiving this because you commented.Message ID: ***@***.***>

[amsnek]

Most Awesome! Will try this as soon as possible but am currently stuck with some tasks. It may take a while/week or like for me to dig into this. Will report back as soon as possible!

[jcchavezs]

Awesome. We will hold the release until you could test it out.

…

On Tue, 11 Jul 2023, 08:06 amsnek, ***@***.***> wrote: Most Awesome! Will try this as soon as possible but am currently stuck with some tasks. It may take a while/week or like for me to dig into this. Will report back as soon as possible! — Reply to this email directly, view it on GitHub <#829 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAXWLEE4Y7HJRR5L3PDXPTUORANCNFSM6AAAAAAZYBB2U4> . You are receiving this because you commented.Message ID: ***@***.***>

[amsnek]

I just realised that I entirely forgot (also to mention) that I only used the haproxy / coraza-spoa plugin so far-> I somehow assumed that this is somewhat analogous (or maybe it is and I am not checking out the correct/latest for coraza-spoa, though I tried all branches). 🙈

coraza-spoa currently complains:
{
"level": "error",
"ts": 1689346036.85105,
"msg": "unable to create waf instance",
"app": "httpslog_test",
"error": "invalid WAF config from string: failed to parse string: failed to compile the directive "secauditlogtype": invalid logger "HTTPS""
}
panic: invalid WAF config from string: failed to parse string: failed to compile the directive "secauditlogtype": invalid logger "HTTPS"

will try and setup my testing Scenario with corazawaf itself. Or is there a way I could do this with spoa already? sorry for the confusion, its been a while I last touched coraza.

[jptosso]

Hey! Coraza v3.0.3 will provide https logs supports. It's already available, we are just waiting to create the tag. If you want to test it you can import the latest commit of coraza waf

[jcchavezs]

@jptosso could you please create a branch so @amsnek can try out. also dont forget to include the change of the content type before cutting 3.0.3

[jptosso]

This feature is already released. @amsnek your feedback would be appreciated.

[amsnek]

Hello, will do. Last i tried ~1 week (when trying latest commit/release) ago I still had the error that is an invalid logger.

[jptosso]

Please make sure you are using coraza v3.0.3

[amsnek]

Hello,

I am using the latest coraza-spoa (https://github.com/corazawaf/coraza-spoa.git) but the error remains:

./coraza-spoa_amd64 -config config.yaml
Loading 1 applications
panic: invalid WAF config from string: failed to parse string: failed to compile the directive "secauditlogtype": invalid logger "https"

goroutine 1 [running]:
main.main()
        /git/coraza-spoa/cmd/coraza-spoa/main.go:24 +0x109

-> can I not test this with coraza-spoa?
as stated in: #829 (comment)

[jcchavezs]

Not sure coraza-spoa is up to date to it. Could you please verify it with go mod?

[amsnek]

yeah, but not sure howto test it properly in my setup with "go mod", didnt use that yet.
-> but will do so but will take some time to look into that.

[jptosso]

This PR contains the HTTPS feature: corazawaf/coraza-spoa#84 please make sure to use coraza-spoa@a5e0f31

[amsnek]

can confirm, that works! 👍
lots of (important) fields are empty (uri, version, method etc) in json format but that its independent from "secauditlogtype"
much awesome, thanks!

-> will close the issue

[jptosso]

Great. Make sure you are using all log parts

[amsnek]

yeah, i am using the same as on my modsecurity counterpart:
SecAuditLogParts ABIJDEFHZ
-> but either I am doing something wrong, or lots of fields are empty
I made a feature request and more detailed description for this in:
#856

-> which was just updated 👍

[github-actions]

This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days.

[amsnek]

closing again -> SecAuditLogType HTTPS works as intended.

Thanks!

[jcchavezs]

Awesome!

…

On Thu, 21 Sept 2023, 08:02 amsnek, ***@***.***> wrote: closing again -> SecAuditLogType HTTPS works as intended. Thanks! — Reply to this email directly, view it on GitHub <#829 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYASGG4ZOIICIU7XC72TX3PJ73ANCNFSM6AAAAAAZYBB2U4> . You are receiving this because you commented.Message ID: ***@***.***>