Ingress-nginx: Unable to send modsecurity logs to stdout or different directory

Created on 6 Nov 2020  路  4Comments  路  Source: kubernetes/ingress-nginx

Dear community

I'm trying to send modsecurity logs to stdout without success.
Actually I'm using annotations for ingress resource like below:

nginx.ingress.kubernetes.io/enable-modsecurity: "true"

nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true" 

nginx.ingress.kubernetes.io/modsecurity-snippet: |
    SecRuleEngine On
    SecRequestBodyAccess On
    SecAuditEngine RelevantOnly
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogFormat JSON
    SecAuditLogType Serial
    SecAuditLog /dev/stdout

`

Even with serial logging, trasanctions are still written to /var/log/modsec_audit.log and /var/log/audit directories.
Ingress controller installed with helm charts

NGINX Ingress controller
Release: v0.40.2
Build: fc4ccc5eb0e41be2436a978b01477fc354f31643
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.3

/triage support

kinbug kinsupport
Source
picture igpix
👍1

Most helpful comment

Ok I've figured out the correct setup or at least what is ok for my needs
I've used config map for general configurations and annotations only for process the rules in specific ingress resource.
Since we have ingress configured on k8s cluster with all monitoring already in place, the ideal setup is to send audit log to stdout and json format
To manage concurrent logs, a sidecar container can read those files and print them to stdout; moreover with a cron process we can delete old directories and avoid disk saturation.

Below the configuation of nginx ingress.
Hope this help someone.

Version:
NGINX Ingress controller
Release: v0.40.2
Build: fc4ccc5eb0e41be2436a978b01477fc354f31643
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.3

data:
  enable-modsecurity: "true"
  modsecurity-snippet: |
    SecAuditLog /dev/stdout
    SecAuditLogFormat JSON
    SecRuleRemoveById 920350
    Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
kind: ConfigMap

    annotations:
      nginx.ingress.kubernetes.io/modsecurity-snippet:
        SecRuleEngine On
picture igpix on 17 Nov 2020
🚀1 👍1

All 4 comments

@igpix: The label(s) triage/support cannot be applied, because the repository doesn't have them

In response to this:

Dear community

I'm trying to send modsecurity logs to stdout without success.
Actually I'm using annotations for ingress resource like below:

nginx.ingress.kubernetes.io/enable-modsecurity: "true" nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true" nginx.ingress.kubernetes.io/modsecurity-snippet: | SecRuleEngine On SecRequestBodyAccess On SecAuditEngine RelevantOnly SecAuditLogParts ABIJDEFHZ SecAuditLogFormat JSON SecAuditLogType Serial SecAuditLog /dev/stdout

Even with serial logging, trasanctions are still written to /var/log/modsec_audit.log and /var/log/audit directories.
Ingress controller installed with helm charts

NGINX Ingress controller
Release: v0.40.2
Build: fc4ccc5eb0e41be2436a978b01477fc354f31643
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.3

/triage support

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 6 Nov 2020

Ok I've figured out the correct setup or at least what is ok for my needs
I've used config map for general configurations and annotations only for process the rules in specific ingress resource.
Since we have ingress configured on k8s cluster with all monitoring already in place, the ideal setup is to send audit log to stdout and json format
To manage concurrent logs, a sidecar container can read those files and print them to stdout; moreover with a cron process we can delete old directories and avoid disk saturation.

Below the configuation of nginx ingress.
Hope this help someone.

Version:
NGINX Ingress controller
Release: v0.40.2
Build: fc4ccc5eb0e41be2436a978b01477fc354f31643
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.3

data:
  enable-modsecurity: "true"
  modsecurity-snippet: |
    SecAuditLog /dev/stdout
    SecAuditLogFormat JSON
    SecRuleRemoveById 920350
    Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
kind: ConfigMap

    annotations:
      nginx.ingress.kubernetes.io/modsecurity-snippet:
        SecRuleEngine On
igpix picture igpix on 17 Nov 2020
🚀1 👍1

This setup is working, but all 127.0.0.1 log entries are not nice.

nickvth picture nickvth on 2 Dec 2020

@nickvth which log are you talking about? example?

igpix picture igpix on 3 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cxj110 picture cxj110  路  3Comments
yuyang0 picture yuyang0  路  3Comments
bashofmann picture bashofmann  路  3Comments
sophaskins picture sophaskins  路  3Comments
cabrinoob picture cabrinoob  路  3Comments