Skip to content

Add custom leading text to audit log lines #3432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Aug 13, 2025
+6,159 −6,031
Merged

Add custom leading text to audit log lines #3432

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2ee45de
Added audit log header
szedenik-adam Aug 4, 2025
31fb939
Replaced string parameters with string_view in AuditLog
szedenik-adam Aug 7, 2025
01c427f
Replaced initializer list with in-class initializer in AuditLog
szedenik-adam Aug 7, 2025
0f402f3
Adapted AuditLog based on code check hints
szedenik-adam Aug 7, 2025
6c6d94f
Renamed SecAuditLogHeader to SecAuditLogPrefix
szedenik-adam Aug 11, 2025
4e2788e
Merge branch 'v3/master' into auditlog-header
szedenik-adam Aug 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 21 additions & 19 deletions headers/modsecurity/audit_log.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,17 +153,18 @@ class AuditLog {
bool setStorageDirMode(int permission);
bool setFileMode(int permission);
bool setStatus(AuditLogStatus new_status);
bool setRelevantStatus(const std::basic_string<char>& new_relevant_status);
bool setFilePath1(const std::basic_string<char>& path);
bool setFilePath2(const std::basic_string<char>& path);
bool setStorageDir(const std::basic_string<char>& path);
bool setRelevantStatus(std::string_view new_relevant_status);
bool setFilePath1(std::string_view path);
bool setFilePath2(std::string_view path);
bool setStorageDir(std::string_view path);
bool setPrefix(std::string_view prefix);
bool setFormat(AuditLogFormat fmt);

int getDirectoryPermission() const;
int getFilePermission() const;
int getParts() const;

bool setParts(const std::basic_string<char>& new_parts);
bool setParts(std::string_view new_parts);
bool setType(AuditLogType audit_type);

bool init(std::string *error);
Expand All @@ -173,40 +174,41 @@ class AuditLog {
bool saveIfRelevant(Transaction *transaction, int parts);
bool isRelevant(int status);

static int addParts(int parts, const std::string& new_parts);
static int removeParts(int parts, const std::string& new_parts);
static int addParts(int parts, std::string_view new_parts);
static int removeParts(int parts, std::string_view new_parts);

void setCtlAuditEngineActive() {
m_ctlAuditEngineActive = true;
}

bool merge(AuditLog *from, std::string *error);

std::string m_path1;
std::string m_path2;
std::string m_storage_dir;
std::string m_path1 = std::string("");
std::string m_path2 = std::string("");
std::string m_storage_dir = std::string("");
std::string m_prefix = std::string("");

AuditLogFormat m_format;
AuditLogFormat m_format = NotSetAuditLogFormat;

protected:
int m_parts;
int m_parts = -1;
int m_defaultParts = AAuditLogPart | BAuditLogPart | CAuditLogPart
| FAuditLogPart | HAuditLogPart | ZAuditLogPart;

int m_filePermission;
int m_filePermission = -1;
int m_defaultFilePermission = 0640;

int m_directoryPermission;
int m_directoryPermission = -1;
int m_defaultDirectoryPermission = 0750;

private:
AuditLogStatus m_status;
AuditLogStatus m_status = NotSetLogStatus;

AuditLogType m_type;
std::string m_relevant;
AuditLogType m_type = NotSetAuditLogType;
std::string m_relevant = std::string("");

audit_log::writer::Writer *m_writer;
bool m_ctlAuditEngineActive; // rules have at least one action On or RelevantOnly
audit_log::writer::Writer *m_writer = nullptr;
bool m_ctlAuditEngineActive = false; // rules have at least one action On or RelevantOnly
};


Expand Down
2 changes: 1 addition & 1 deletion headers/modsecurity/transaction.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
int getRuleEngineState() const;

std::string toJSON(int parts);
std::string toOldAuditLogFormat(int parts, const std::string &trailer);
std::string toOldAuditLogFormat(int parts, const std::string &trailer, const std::string &header);
std::string toOldAuditLogFormatIndex(const std::string &filename,
double size, const std::string &md5);

Expand Down
45 changes: 20 additions & 25 deletions src/audit_log/audit_log.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,25 +51,13 @@ namespace modsecurity {
namespace audit_log {


AuditLog::AuditLog()
: m_path1(""),
m_path2(""),
m_storage_dir(""),
m_format(NotSetAuditLogFormat),
m_parts(-1),
m_filePermission(-1),
m_directoryPermission(-1),
m_status(NotSetLogStatus),
m_type(NotSetAuditLogType),
m_relevant(""),
m_writer(NULL),
m_ctlAuditEngineActive(false) { }
AuditLog::AuditLog() = default;


AuditLog::~AuditLog() {
if (m_writer) {
delete m_writer;
m_writer = NULL;
m_writer = nullptr;
}
}

Expand Down Expand Up @@ -108,35 +96,42 @@ bool AuditLog::setStatus(AuditLogStatus status) {
}


bool AuditLog::setRelevantStatus(const std::basic_string<char>& status) {
bool AuditLog::setRelevantStatus(std::string_view status) {
this->m_relevant = std::string(status);
return true;
}


bool AuditLog::setStorageDir(const std::basic_string<char>& path) {
bool AuditLog::setStorageDir(std::string_view path) {
this->m_storage_dir = path;
return true;
}


bool AuditLog::setFilePath1(const std::basic_string<char>& path) {
bool AuditLog::setFilePath1(std::string_view path) {
this->m_path1 = path;
return true;
}


bool AuditLog::setFilePath2(const std::basic_string<char>& path) {
bool AuditLog::setFilePath2(std::string_view path) {
this->m_path2 = path;
return true;
}


bool AuditLog::setPrefix(std::string_view prefix) {
this->m_prefix = prefix;
return true;
}


bool AuditLog::setFormat(AuditLogFormat fmt) {
this->m_format = fmt;
return true;
}

int AuditLog::addParts(int parts, const std::string& new_parts) {
int AuditLog::addParts(int parts, std::string_view new_parts) {
PARTS_CONSTAINS('A', AAuditLogPart)
PARTS_CONSTAINS('B', BAuditLogPart)
PARTS_CONSTAINS('C', CAuditLogPart)
Expand All @@ -154,7 +149,7 @@ int AuditLog::addParts(int parts, const std::string& new_parts) {
}


int AuditLog::removeParts(int parts, const std::string& new_parts) {
int AuditLog::removeParts(int parts, std::string_view new_parts) {
PARTS_CONSTAINS_REM('A', AAuditLogPart)
PARTS_CONSTAINS_REM('B', BAuditLogPart)
PARTS_CONSTAINS_REM('C', CAuditLogPart)
Expand All @@ -172,7 +167,7 @@ int AuditLog::removeParts(int parts, const std::string& new_parts) {
}


bool AuditLog::setParts(const std::basic_string<char>& new_parts) {
bool AuditLog::setParts(std::string_view new_parts) {
int parts = 0;

PARTS_CONSTAINS('A', AAuditLogPart)
Expand Down Expand Up @@ -208,15 +203,14 @@ bool AuditLog::setType(AuditLogType audit_type) {
}



bool AuditLog::init(std::string *error) {
audit_log::writer::Writer *tmp_writer;

if ((m_status == OffAuditLogStatus || m_status == NotSetLogStatus)
&& !m_ctlAuditEngineActive) {
if (m_writer) {
delete m_writer;
m_writer = NULL;
m_writer = nullptr;
}
return true;
}
Expand All @@ -234,7 +228,7 @@ bool AuditLog::init(std::string *error) {
tmp_writer = new audit_log::writer::Serial(this);
}

if (tmp_writer == NULL) {
if (tmp_writer == nullptr) {
error->assign("Writer memory alloc failed!");
return false;
}
Expand Down Expand Up @@ -312,7 +306,7 @@ bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
}
ms_dbg_a(transaction, 5, "Saving this request as part " \
"of the audit logs.");
if (m_writer == NULL) {
if (m_writer == nullptr) {
ms_dbg_a(transaction, 1, "Internal error, audit log writer is null");
} else {
std::string error;
Expand All @@ -337,6 +331,7 @@ bool AuditLog::merge(AuditLog *from, std::string *error) {
AL_MERGE_STRING_CONF(from->m_path2, m_path2);
AL_MERGE_STRING_CONF(from->m_storage_dir, m_storage_dir);
AL_MERGE_STRING_CONF(from->m_relevant, m_relevant);
AL_MERGE_STRING_CONF(from->m_prefix, m_prefix);

if (from->m_filePermission != -1) {
m_filePermission = from->m_filePermission;
Expand Down
2 changes: 1 addition & 1 deletion src/audit_log/writer/parallel.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ bool Parallel::write(Transaction *transaction, int parts, std::string *error) {
} else {
std::string boundary;
generateBoundary(&boundary);
log = transaction->toOldAuditLogFormat(parts, "-" + boundary + "--");
log = transaction->toOldAuditLogFormat(parts, "-" + boundary + "--", m_audit->m_prefix);
}

const auto &logPath = m_audit->m_storage_dir;
Expand Down
2 changes: 1 addition & 1 deletion src/audit_log/writer/serial.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ bool Serial::write(Transaction *transaction, int parts, std::string *error) {
} else {
std::string boundary;
generateBoundary(&boundary);
msg = transaction->toOldAuditLogFormat(parts, "-" + boundary + "--");
msg = transaction->toOldAuditLogFormat(parts, "-" + boundary + "--", m_audit->m_prefix);
}

return utils::SharedFiles::getInstance().write(m_audit->m_path1, msg,
Expand Down
Loading
Loading