Empty auditlogs with v3/master

[mhalden]

We are trying to use modsecurity v3 with nginx 1.12.0 on FreeBSD 10.3. When using serial logging we get no logs at all and with concurrent logging the index file is written, but the actual audit logs are empty.

[zimmerle]

Hi @mhalden,

Do you happens to notice any relevant information on the debug logs? What is the latest commit in your tree?

[mhalden]

We have tested the commit 6421ff0. The only relevant thing we can see in the debug logs is that it was supposed to write some data to the audit log. Although that did not actually happen.

[ltning]

If set to actually block traffic, the nginx error log contains the information we would expect. However, while the audit log index file points to an audit log file, that audit log file remains empty. We haven't looked at the debug log with a fine-toothed comb yet, but haven't seen anything unexpected. Up to level 3 it remains empty, from level 4 and up it is very verbose.

Also, telling the audit log to log everything or only relevant items makes no difference.

[ltning]

Any further ideas here? Anything we can do to help debug the issue? After #1411 seems to have been solved, this one is keeping us from moving forward..

[zimmerle]

@mhalden are you compiling ModSecurity with JSON (yajl) support? or without it?

[ltning]

We're compiling with yajl, yes - I believe this is the default.

[zimmerle]

do you happens to have the files for the parallel logging without any content? or not even the files?

[mhalden]

We have the files but they are empty.

[zimmerle]

Do you mind to test the version at the branch: v3/dev/issue_1406 ?

You should be able to see the auditlogs in your default std out.

[mhalden]

It actually outputs {"no_yajl_support": "yes"} which doesn't really make sense to me considering we build it with yajl and get the following output from ./configure.

ModSecurity - v3.0.0+ for FreeBSD

 Mandatory dependencies
   + libInjection                                  ....
   + SecLang tests                                 ....

 Optional dependencies
   + GeoIP                                         ....found v1.6.10
      -lGeoIP , -I/usr/local/include/
   + LibCURL                                       ....found v7.54.0
      -L/usr/local/lib -lcurl, -I/usr/local/include -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.1.0
      -lyajl , -DWITH_YAJL -I/usr/local/include
   + LMDB                                          ....not found
   + LibXML2                                       ....found v2.9.4
      -L/usr/local/lib -lxml2 -lz -llzma -L/usr/lib -lm, -I/usr/local/include/libxml2 -I/usr/include -DWITH_LIBXML2

 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled

[mhalden]

Looking at the log from the port build I see that that yajl was not found for some reason even though it was given as a dependency.

[zimmerle]

Interesting. can you share the config.log on gist?

Btw, for that specific case, I will put a warning on the debug logs saying that JSON is disabled.

[mhalden]

These were logs from poudriere which we use to build packages, so I don't think they will be very interesting for you. The snippet posted earlier by me was from the test environment where I build the "port" used by poudriere to make packages. Turns out the problem was that I didn't explicitly pull in pkg-config so configure didn't find yajl even though it was available in the build environment, this was not an issue in the test environment as something else pulled in pkg-config for me.

We now have content in the auditlogs.

A warning in the debug log would be great, that would have saved us a lot of trouble.

Thank you for your help.