How to make lua script or nginx-plugin to send modsec-audit.log to redis not file transformer
xx-zhang opened this issue · 6 comments
xx-zhang commented
How to make lua script or nginx-plugin to send modsec-audit.log to redis not file transformer .
transform modsec-audit log when log is produce and not to file that dicrect to redis pipeline .
One2r commented
You can use:
SecAuditLogType HTTPS
SecAuditLog http://xxx.xxx.xxx.xxx:port
xx-zhang commented
@One2r 你确定这个可以搞?有没有详细的文档,我还是倾向看看能不能用 lua 发送,我的nginx access_log 就是,但是我不管怎么设置,都获取不到 ngx.var.modsec* 相关的变量,主要是 message 获取不到。
One2r commented
可以的,审计日志发送到http接口,解析后想干嘛就干嘛。
xx-zhang commented
可以的,审计日志发送到http接口,解析后想干嘛就干嘛。
@One2r 毛的,我配置了一点反应都没有. sender_log 对应的就是 post请求。都没过去。
modsecurity308 - nginx1.24.0 - modsecurity-nginx103
SecRuleEngine on
SecRequestBodyAccess on
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyLimitAction Reject
SecPcreMatchLimit 100000
SecPcreMatchLimitRecursion 100000
SecResponseBodyAccess on
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 1048576
SecResponseBodyLimitAction ProcessPartial
SecTmpDir /tmp/
SecDataDir /tmp/
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABCIJDEFHZ
#SecAuditLogParts ABCIFHZ
#SecAuditLogType Serial
#SecAuditLogFormat JSON
SecAuditLogType HTTPS
SecAuditLog http://127.0.0.1:7788/sender_log
#SecAuditLog var/logs/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127
SecStatusEngine On
One2r commented
看看该安装的依赖库都安装了没,libcurl,libyajl这些。可以开debug看看日志