SecAuditLog in a containerised kubernetes environment

16 views
Skip to first unread message

Kirk Jackson

unread,
Jul 27, 2021, 8:41:36 PM7/27/21
to modsecurity-core...@owasp.org
Hi,

I was wondering if anyone is able to share their approach for logging audit logs in a containerised environment?

I see we should use "SecAuditLogType Concurrent" if we are expecting lots of logs, to avoid contention on a single log file.

How are other people handling this in a containerised environment? Are you writing to local storage on the container using concurrent mode, and then shipping the log files off to somewhere less ephemeral? What tooling do you use?

References:



Currently using ModSecurity 3.0.4 on nginx-1.21.0 with CRS 3.3.2

Thanks,

Kirk

Manuel Spartan

unread,
Nov 3, 2021, 7:04:59 PM11/3/21
to ModSecurity Core Rule Set project, Kirk Jackson
Hi Kirk, there are several options the Kubernetes documentation has a section about logging architecture https://kubernetes.io/docs/concepts/cluster-administration/logging/#cluster-level-logging-architectures you can use one of the options listed, there are lots of different options out there like using daemon sets then stream to your central log collector, also different vendors have alternative solutions to help with logging. 

Regards,
Manuel
Reply all
Reply to author
Forward
0 new messages