Nginx Question posted in
The official documentation can be found here.

Can't send auditlog with modsecurity with custom error pages – Nginx

I’m using Modsecurity v3.0.3 with the blocking module and I need to get my auditlog.

Also, because I need it, I have to use some custom error pages.

Unfortunately, I have my logs, but I’m losing my auditlog.
I tried some forums’ help, but it didn’t work for me.

One of the forums : https://github.com/SpiderLabs/ModSecurity-nginx/issues/76

Here is the location configuration of my NGinx

Any help or starting point would be appreciated, thanks !

Tags:

2

Answers


  1. 0

    Could you elaborate on "losing my auditlog"? This sounds as if you would see it for a moment, but then it disappears.

    Also, you link to a very old ModSec issue that has been fixed and released in the meantime. Where is the connection?

    Login or Signup to reply.
  2. 0

    I had the same problem with ModSecurity 3.3.2 + nginx and custom errors, so leaving this here in case other people run into the same issue as it took me a while to find a solution.

    The issue in my case was that I had the custom error in nginx return the message directly in the error location block, so something like:

    error_page 400 @error400;
location @error_400 {
  types {}
  default_type application/json;
  return 400 '{"message: WHATEVER ERROR"}'
}

    So the solution in my case was to put that exact JSON message in a file and reference that file instead, so the above becomes:

    error_page 400 /400.json;
location = /400.json {
  types {}
  default_type application/json;
  root /usr/share/nginx/html/custom_errors/;
}

    And in that root path I put the 400.json file with that exact error messsage:

    cat /usr/share/nginx/html/custom_errors/400.json

{"message: WHATEVER ERROR"}

    This brought back the SecAudit Logs from ModSecurity. Hope this helps someone.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search