SecAuditLog in a containerised kubernetes environment

20 views

Skip to first unread message

Kirk Jackson

unread,

Jul 27, 2021, 8:41:36 PM7/27/21

to modsecurity-core...@owasp.org

Hi,

I was wondering if anyone is able to share their approach for logging audit logs in a containerised environment?

I see we should use "SecAuditLogType Concurrent" if we are expecting lots of logs, to avoid contention on a single log file.

How are other people handling this in a containerised environment? Are you writing to local storage on the container using concurrent mode, and then shipping the log files off to somewhere less ephemeral? What tooling do you use?

References:

https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/#step_5_creating_the_base_configuration - the SecAuditLog section

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogtype

Currently using ModSecurity 3.0.4 on nginx-1.21.0 with CRS 3.3.2

Thanks,

Kirk

Manuel Spartan

unread,

Nov 3, 2021, 7:04:59 PM11/3/21

to ModSecurity Core Rule Set project, Kirk Jackson

Hi Kirk, there are several options the Kubernetes documentation has a section about logging architecture https://kubernetes.io/docs/concepts/cluster-administration/logging/#cluster-level-logging-architectures you can use one of the options listed, there are lots of different options out there like using daemon sets then stream to your central log collector, also different vendors have alternative solutions to help with logging.

Regards,

Manuel

Reply all

Reply to author

Forward

0 new messages