New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libmodsecurity3: Request body is not logged #3109
Comments
Argh. Very bad. Can you share your SecAuditLogParts setting? |
@dune73 It's whatever is in modsecurity.conf, I tested this on a very bare test system. |
The recommended rules carry Could you do There used to be a problem with non-alphabetical order of log parts and reference handbook says "I" is not implemented. |
@dune73 that did it, looks like it was just a simple misconfiguration:
|
as I see now the part
|
We may want to change the recommended file for v3. For v2 "I" is usually better if I'm not mistaken. But if it's not implemented in v3, then that's making things complicated. |
@airween Yes it works, I can see the request body now. the solution just feels too simple. |
Is there any reason why this isn't enabled, I don't see any reason why it shouldn't from what I've read of the ModSecurity handbook? Should I open a PR for this? |
May be part
None of the default Of course you can send any PR. I don't want to decide about that personally, I would be happy if others would join in and the community would make the decision. (I suggest you to ask this on #project-modsecurity Slack channel - may be....) |
@airween Sorry for the late reply, I was recovering from a cold.
Maybe, but I don't think it will cause a huge increase with the log file sizes. The logs are already pretty big as is and response bodies are already logged.
I remember this being the default for ModSecurity2 (Even though C isn't specified in modsecurity.conf), and after some digging it looks like it was supposed to be logged by default for both engines. According to the docs for both v2 and v3 This is ModSecurity 2 on Apache with out of the box settings including the recommended modsecurity.conf, as you can see the request body is being logged (using the same curl command I used earlier).
|
Describe the bug
libModSecurity3 does not log the request body in the audit log, although the triggered rules, response body and request/response headers are logged.
Logs and dumps
To Reproduce
curl -d "a=<script>" 127.0.0.1
Expected behavior
The request body should be logged just like in ModSecurity2.
Server (please complete the following information):
Rule Set (please complete the following information):
Additional context
N/A
The text was updated successfully, but these errors were encountered: