[Owasp-modsecurity-core-rule-set] No rule-id in audit/error log with Nginx und MS3/CRS3

Muenz, Michael mase at partycrew-united.de
Fri Nov 25 10:21:04 UTC 2016


Am 24.11.2016 um 17:37 schrieb Christian Folini:
> On Thu, Nov 24, 2016 at 05:02:43PM +0100, Muenz, Michael wrote:
>> SecAuditLogParts ABIJDEFHZ
> It's a little known detail that Audit Log Parts need to be set
> in alphabetic order. But I do not think this is the problem here.
>
> For me, this sounds like a ModSec/NginX bug - unless you have some other
> base config which tweaks the audit log in the said fashion. But I
> do not see how you could.
>
> So to me, this is not a CRS problem, but a ModSec on NginX problem.
>

LogParts is the default from modsecurity.conf.
Yesterday Nginx updated their guide for the current version, now 
everything gets logged.
It's a bug/change in the MS-Nginx connector where everything is logged 
with info severity.

Thanks,
Michael


More information about the Owasp-modsecurity-core-rule-set mailing list