Adjust nginx log level according to modsecurity severity level #243
Conversation
Without this patch, whatever severity level in modsecurity message, it appears as 'error' in nginx error.log file. This patch modifies this behavior. When a severity level is present, it is used as nginx log level else 'error' nginx log level is used.
|
Hello @qix67 , There are a few open issues with a somewhat similar goal (by which I mean providing additional control over the log level of lines written to error.log). In general I'm at least somewhat hesitant to equate ModSecurity's rule 'severity' with the log level in a web server's error.log file. (See owasp-modsecurity/ModSecurity#2748 (comment) for some reasoning.) Moreover, if we did decide to do something along those lines, I think it would be preferable to implement it through a specific variable, rather than parsing log lines. Parsing log line content has a chance of not producing the intended results. I haven't tried the proposed code here, but, for example, what if the 11-character string '[severity "' were to appear somewhere else in the rule output? Perhaps the admin, for obscure reasons included text like that in the rule's "msg" action? |
Without this patch, whatever severity level in modsecurity message, it
appears as 'error' in nginx error.log file.
This patch modifies this behavior. When a severity level is present, it
is used as nginx log level else 'error' nginx log level is used.