Open
Description
Hello,
we encountered a problem when parsing nginx error logs. It seems some parts of the log entries are not parsed correctly and always output None, e.g.:
./modsec-log-parser.py --delim ';' --summary="client,matchMessage,file,line,msg,data,hostname,uri" /var/log/nginx/error.log
produces this output (notice the two "None" entries in the front)
None;None;/usr/local/kong/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf";992";Request content type is not allowed by policy";application/ocsp-request";212.1.2.3";/"
The log entries look like this:
2020/06/24 10:03:23 [info] 24979#0: *16025 ModSecurity: Warning. Matched "Operator `Rx' with parameter `^application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss- (26 characters omitted)' against variable `TX:0' (Value: `application/ocsp-request' ) [file "/usr/local/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "992"] [id "920420"] [rev ""] [msg "Request content type is not allowed by policy"] [data "application/ocsp-request"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "10.11.11.11"] [uri "/"] [unique_id "159298580377.868567"] [ref "o0,24v50,24"], client: 10.2.3.4, server: _, request: "POST / HTTP/1.0", host: "ocsp.example.com"
Also it would be nice to be able to print the part with this information: client: 10.2.3.4, server: _, request: "POST / HTTP/1.0", host: "ocsp.example.com from the end of the logfile.
Could you fix it so it prints nginx error logs correctly? Thanks!
Metadata
Metadata
Assignees
Labels
No labels