Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ModSec Audit logs in JSON format - not JSON? #3310

Open
paul-hammant opened this issue Dec 3, 2024 · 2 comments
Open

ModSec Audit logs in JSON format - not JSON? #3310

paul-hammant opened this issue Dec 3, 2024 · 2 comments
Labels
3.x Related to ModSecurity version 3.x

Comments

@paul-hammant
Copy link

Describe the bug

I'm running ModSec as a library for testing purposes (with GoTestWAF, but that's not important I don't think). It is printing JSON audit files (one per request) to the file system. Field time_stamp looks corrupted though as I gaze and the files with JSON that won't parse cos "time_stamp": "\u0014\u00108....\u0006" is choking subsequent parsers (like the one in browsers).

Source code question

In src/transaction.cc, should c_str() be called twice?

    std::string ts = utils::string::ascTime(&m_timeStamp).c_str();

    .. snip .. 

    LOGFY_ADD("time_stamp", ts.c_str());
@paul-hammant paul-hammant added the 3.x Related to ModSecurity version 3.x label Dec 3, 2024
@airween
Copy link
Member

airween commented Dec 3, 2024

Hi @paul-hammant,

could you show your relevant configuration? I've never faced any issue like this - and I think the regression test framework covers all scenario (haven't checked this specific one), so I would wonder if this is a new issue (if it is). But with a config snippet I try to check that.

@paul-hammant
Copy link
Author

I'm using ModSec.so from Java in a corporate setting. GoTestWAF is scoring it quite highly, but in analysing the audit logs I see this unparsable JSON. I don't have a need to have machine-processable JSON logs, so it'll never become an issue for me. I would've assumed that it was encoded as UTF-8 as almost everything is these days. It's not though. If I need to in the short term I can swap the file's epoch time for the sequence by bytes in between " and ".

Another day I'll try to make the local change and see if it works. I'll report back then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Development

No branches or pull requests

2 participants